[OpenID] [LIKELY_SPAM]Re: Google OpenID IDP is now live

[Martin Atkins]

Eric Sachs wrote:
>  >> I hope I'm misunderstanding what you are saying and that you 
> support the standard.
>  >> That's the hub and spoke model, pretending to be an open system.
> Hopefully my follow on post clarified Dick & Peter's questions.
> 
> In fact, one of the questions I raised at the UX summit 
> <http://sites.google.com/site/oauthgoog/UXFedLogin/09nov-uxsummit> last 
> week was how an E-mail outsourcing services like our 
> GoogleAppsForYourDomain could offer this type of OpenID IDP as a service 
> to those domains.  Since we host thousands of such domains, the 
> auto-discovery aspects of OpenID are key.  However the challenge we face 
> is how to avoid lock-in.  In particular, we need a way for an 
> enterprise/ISP/school/etc. to start using our IDP, but later move it 
> somewhere else without breaking federated login for their users. 
>  Similarly, they should be able to run their own and then migrate it to 
> us.  OpenID provides a great set of abstraction layers to make this 
> possible, however there is still a lot more research we need to do into 
> the actual mechanics of getting that to work.
> 

Jumping off on a tangent being explored in another thread, this use-case 
is one of my main motivations for having DNS be the primary place for 
OpenID discovery in the email address case. While Google Apps does 
provide a service to host web pages on a domain, I don't think that many 
people actually use it in practice and instead have their website hosted 
somewhere else. That "somewhere else" could well be something based on a 
hosted CMS like Six Apart's TypePad, where it's not possible to 
arbitrarily enable HTTP-based XRDS discovery.

Domains using Google Apps for email and XMPP already have to tinker with 
their DNS to set MX and SRV records, so they ought to be able to add 
whatever extra information is necessary to make OpenID work.