[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

[Martin Atkins]

Andrew Arnott wrote:
> 
> Both of these ideals of OpenID are very worthwhile and desirable IMO.  But
> the second one cannot possibly come true for the average user as far as I
> can imagine.  There is *no* way to have a Claimed Identifier that can
> withstand a change in its hosted provider unless the user owns his own
> domain name.  The average user won't know that they should (let alone *how*)
> add a layer of indirection to their OP-provided identity page in order to
> give themselves greater flexibility in the future and avoid vendor lock-in.
> 

As with most things in OpenID, we can look to email for inspiration.

Email suffers a similar problem. Most users get their email address from 
a provider whose domain is reflected in the email address. How do users 
deal with this problem for email? There are a number of answers:

* They don't. Most users are quite happy with the idea that they're 
attached to a specific provider and that their email address will change 
if they move providers.

* Third-party services provide the layer of indirection. This can either 
just be another service provider domain such as bigfoot.com (though 
arguably this doesn't solve the problem at all) or an all-in-one 
"register a vanity domain with us and we'll forward your email for you" 
package as offered by hundreds of domain vendors.

* Users buy their own domains and set up their own email servers, or pay 
someone else to do it for them. This is how businesses often approach 
this problem; most companies with more than a few employees have their 
own email domain.

All three of these answers can equally apply to OpenID. The second 
relies on a service that is not commonly available for OpenID today, but 
there are already small examples of it out there, such as freeyourid.com.