[OpenID] What are openids weaknesses?

Mon Sep 3 13:07:04 UTC 2007

> For me at least, that's not the point. The point is: what can we do to
> make it better? (without changing the low-cost economics)

[Peter Williams] I want to see a plan for OpenID to "harmonize" its
position with the SAML and the Liberty world, by cooperating with wider
programs of activity. This means changing the marketing messaging of the
Foundation and advocating practical integration activities that take
into consideration that it's a multi-protocol world out there. 

If we don't do this, the large potential relying-party adopters are just
left scratching their heads about OpenID, and will *do* nothing.
Federation and WebSSO is already hard enough to justify as a Relying
party, without that OpenID gnat from blogculture implying that your SAML
approach is wrong-headed. If it's wrongheaded, so is OpenID - nothing
Ive seen in 2 months of technical investigation tells me OpenID's
counter-culture is that different to SAML. But, I'm still impressed by
OpenID - none the less. Its an interesting tweak, and is appealing.

> If there is a better plan, let's do it.
> 

[Peter Williams] I've seen two groups offer olive branches. And neither
has been taken up, from what I can tell. OpenID simply has to be more
than a protocol spec. OpenID has to be a part of wider movements that
give it meaning beyond the next year. This means we have to have
liaisons to connect up with the wider world of WebSSO.

So, let's move OpenID culture beyond blogging, beyond easing the process
of registering yourself, beyond Higgins' grand-directory/grand-API,
beyond open source, beyond viral adoption, beyond blogURLs and
blogsites.

Let move it into two areas that even for the established SAML culture
are "works in progress":-

(1) Let's take a gamble and use the URLness of OpenID to head for the
Semantic Web:
http://www.w3.org/2005/Talks/0407-swans-tbl/slide17-0.html. The FOAF
work we played with suggests its addresses entirely orthogonal issues,
which therefore complements the webSSO protocol work nicely. As the
DARPA initiative winds down, it needs other groups to run with some of
the results - otherwise the funds dedicated through such national
projects are wasted.

(2) Let's take a gamble and head for "advanced clients" that address a
wide range of IDP proxying issues:
http://xml.coverpages.org/LibertyAdvancedClient.html. Im not suggesting
OpenID becomes a exercise in million dollar Liberty culture; only, that
we are part of where the current pulse is - on defining the wider future
of a multi protocol, multi provider, trust fabric. As cardspace+openid
is already in this area, so why not assume a cooperative stance, and be
part of the wider conversation - and then be known as the leader in the
particular low-price, open source, self-managing category?

If I have not made it clear yet, I have a user community that is just
begging for all this, if only someone can help it build it a trust
fabric. And, it has to bridge mortgage banks who will buy million dollar
Liberty systems, with Realty MLS which SAML2 nicely addresses, with
small realty associations and brokers who can afford neither Liberty nor
SAML ... but will likely happily adopt an OpenID-centric culture, and
are typically happy to pay service/maintenance fees. But none of that
can occur, if the trust fabric does not allow for interworking cross
industry, cross culture, cross price ranges, and cross protocol.

Peter.