[OpenID] Yahoo hijacking?

[SitG Admin]

At 8:16 PM -0400 4/18/08, Max Metral wrote:
>I think we have to tread extremely carefully here.  At some point, if
>OpenID is lucky, the benefits to using it will so far outweigh the
>problems (e.g. if the RP is down, if the RP hijacks the traffic, if the
>value of the membership is diminished because I don't get the strong
>brand affiliation, etc) that no one would think of rolling their own.

Wait, if OpenID is LUCKY? No one even *thinking* of "rolling their 
own" would be considered a GOOD outcome?

Charge full speed ahead, I say! ;)

>But if, right now, I have the choice between a standard that has only
>partial major player adoption and even less end-user awareness AND has a
>non-negligible opportunity of completely losing a user, it ain't
>happening.

What, exactly, "ain't happening"? A standard that threatens to 
"completely lose" users by letting them go out and play with everyone 
else? As the saying goes,

"If you love somebody, let them go, for if they return, they were 
always yours. And if they don't, they never were."
-Kahlil Gibran

Customer-loyalty through locking-in is like ruling through fear 
instead of respect; yes, they'll follow you, but only until they see 
a chance to stab you in the back. Forcing customers to use *you* (or 
an affiliated company) as the OP to receive the full value of their 
membership from allied sites isn't a hard lock, but it does nerf 
OpenID's potential for acting as a "market equalizer"; if users can 
get full value at 3rd-party sites *no matter who they use as their 
OP*, they can switch to another OP not just when that site goes down 
but *also* if they should suddenly happen to disagree with that OP's 
business practices. If an OP embraces (or is revealed in supporting, 
directly or through affiliates) reprehensible business practices, its 
customers may wish to depart - and, if its competitors are any 
better, they just may. That's the promise - and threat - OpenID 
supports for the users. Lacking a "free market" the question is who 
can do better at locking in their customers, but if the question of 
who can give the customers more of what they want sounds easier to 
answer, it then becomes worthwhile to accept technology and ideas 
that support such freedoms :)

Full disclosure: I "blacklist" MyOpenID.com OP's (and similar 
large-scale, dedicated OP's) that are used as that user's Identity, 
but only for my (privileged) users and only by assigning them a 
"second-class citizenship" just as LiveJournal.com does for *all* 
OpenID users. I do this to encourage decentralization (if 
MyOpenID.com went down or went bad, users could lose *all* of their 
accumulated Identity, reputation, etcetera), but it's technically the 
same method as I condemned above. The only real difference is in what 
choice of OP's we're discouraging.

I consider the method itself to be inherently moral, though; as the 
RP, who owns the data on the site, users have access to it only at 
the RP's discretion and the RP can choose to restrict that access to 
every other Tuesday for arbitrary users. Those users then have the 
choice of either accepting this, or leaving the RP and conceding that 
they have no further access to protected data on that site - the one 
thing I do NOT want to hear from an OP is "Hey, my users are 
complaining that you didn't give them superuser rights and access to 
every page any other user can see." :)

-Shade