[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Andrew Arnott andrewarnott at gmail.com
Fri Jan 2 02:49:44 UTC 2009 

Peter, I split your message off into a new thread because you bring up an
excellent point that I believe merits further discussion, but is less
related to the original thread.

I just want to add a few thoughts, all of which center on the *average*user.

First allow me to declare my assumptions on the average user:

   1. Will not own a domain name of their own and will not want to pay an
   annual domain name fee.
   2. Will not understand what a web hosting service is
   3. Will not understand XRDS or HTML tags.
   4. (currently) Barely understands how they can log into some random site
   using their Yahoo! credentials, and doesn't know or care whether OpenID is
   used behind the scenes.
   5. (currently) Has not heard of OpenID and has no idea how to log in with
   one.
   6. (soon) Might use OpenID without knowing it by clicking on a big name
   OP that they're familiar with and using directed identity.

Two ideals in OpenID (not a comprehensive list)

   1. OpenID achieves the decentralization of identity providers.  Kudos.
   2. OpenID promises provider-neutrality of your identity by allowing
   identity pages to be hosted independent of any OP that can be easily
   redirected to whatever OP the user wants to use.

Both of these ideals of OpenID are very worthwhile and desirable IMO.  But
the second one cannot possibly come true for the average user as far as I
can imagine.  There is *no* way to have a Claimed Identifier that can
withstand a change in its hosted provider unless the user owns his own
domain name.  The average user won't know that they should (let alone *how*)
add a layer of indirection to their OP-provided identity page in order to
give themselves greater flexibility in the future and avoid vendor lock-in.

The only way to achieve the second ideal then would be for the OPs to
somehow have the capability to offer their users a Claimed Identifier that
will survive even if the user chooses to cancel their account with that OP
at a later date.  Even if this were technologically possible, convincing the
major OPs (that most users will pick whether knowingly or unknowingly) to
offer all their customers a default behavior that would make it easier for
the customer to leave the OP would be very difficult.  From the OPs business
perspective it wouldn't make sense to do that.  But of course from the
user-perspective it makes perfect sense and should be done.

I used to think that XRIs were the answer to the technological hurdle.  But
unless the user is paying an annual fee for a root-level i-name and hosting
the XRDS doc, the user is bound by an =*OP**name prefix to their i-name and
therefore forever bound to that OP for their identity.

Can anyone else suggest a solution to the technological and business
problems associated with achieving ideal #2?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 6:30 PM, Peter Williams <pwilliams at rapattoni.com>wrote:

>  I think this is the most important lesson (especially if UCI is the
> actual vision, in contrast openid being a submarine reinvention of TTP IDPs,
> a la Shib).
>
>
>
> I've felt for a long time that there have to be two services: one aimed
> purely at the user (and not provided by OPs), and then one provided by the
> OP. I kept experimenting with this distinction  over and over – but I always
> felt like the wacky weirdo – especially once the directed identity service
> from the OPs came along.
>
>
>
> After all, "Real" users just subscribe to Yahoo, Google, Myopenid OPs. But
> those who fall prey to the indoctrination of those portal mindshare wars,
> are not really getting "openid". They are just being drawn into the typical
> hub-spoke networking model.  Its EDI all over again. Your free to send your
> business document anywhere,  as long as they are a member of the same hub.
>
>
>
> We just have to  remember that, for business-class users, it's just not
> enough to have an OP account(s) with your favorite portal(s)  (google, live,
> pip), which provision you their various openids. You must have in additional
> service, which is probably separate from that which any OP offers. In that
> addition, you own and control the XRDS/HTML file – through which you can
> express full control and get what the UCI in openid promises/promised.
>
>
>
> Ok. Lets test the reality.
>
>
>
> Is there a semi-commercial site out there, aimed at 50+ year old users,
> that does little else other than allow such folks with pretty average IT
> skills to maintain their (non-OP) identity page, featuring op selection
> (i.e. reinforces the multiple-nyms concept) and delegation (allows control
> over https authentication endpoints, and facilitate login portability)?
>
>
>
> I know I can sell the portability benefit of openid (as they all remember
> the analogous (pre-Neustar) days …when phone companies would not let you
> move your phone number between national carriers).
>
>
>
> Then, is there any "major" OP (google, live, yahoo, myspace?) that offers _
> *both*_ services?
>
>
>
> It doesn't count as an "offer" if I, Jeanette the Realtor,  have to
> literally edit an XRDS or HTML file or even conceive of tags, meta-anything,
> denotational semantics or anthropomorphic identifiers with a polymorphic
> bent (or any other wonderfully inventive logic that we computer scientists
> love to talk about).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/212556bc/attachment-0002.htm>

More information about the general mailing list