[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Andrew Arnott andrewarnott at gmail.com
Fri Jan 2 03:13:04 UTC 2009 

An additional thought...

If we were willing to concede that large OPs such as Microsoft, Google and
Yahoo!  will be around forever and will never charge their users for their
OpenIDs, then perhaps we could do away with the technological hurdle and
just work at convincing these big players to be willing to use XRDS docs
instead of mere HTML tags and give their users the power to change the XRDS
document, including adding and removing of OPs from the list).  The purpose
being that if I had an OpenID that I was locked into using due to existing
accounts with RPs such as http://openid.live.com/andrew and I wanted to
switch from Live ID to Yahoo, then I could just visit my Live ID identity
page, change a few options, and suddenly my Live ID identity page will start
sending RPs to Yahoo instead of Live ID auth.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Thu, Jan 1, 2009 at 7:49 PM, Andrew Arnott <andrewarnott at gmail.com>wrote:

> Peter, I split your message off into a new thread because you bring up an
> excellent point that I believe merits further discussion, but is less
> related to the original thread.
>
> I just want to add a few thoughts, all of which center on the *average*user.
>
> First allow me to declare my assumptions on the average user:
>
>    1. Will not own a domain name of their own and will not want to pay an
>    annual domain name fee.
>    2. Will not understand what a web hosting service is
>    3. Will not understand XRDS or HTML tags.
>    4. (currently) Barely understands how they can log into some random
>    site using their Yahoo! credentials, and doesn't know or care whether OpenID
>    is used behind the scenes.
>    5. (currently) Has not heard of OpenID and has no idea how to log in
>    with one.
>    6. (soon) Might use OpenID without knowing it by clicking on a big name
>    OP that they're familiar with and using directed identity.
>
> Two ideals in OpenID (not a comprehensive list)
>
>    1. OpenID achieves the decentralization of identity providers.  Kudos.
>    2. OpenID promises provider-neutrality of your identity by allowing
>    identity pages to be hosted independent of any OP that can be easily
>    redirected to whatever OP the user wants to use.
>
> Both of these ideals of OpenID are very worthwhile and desirable IMO.  But
> the second one cannot possibly come true for the average user as far as I
> can imagine.  There is *no* way to have a Claimed Identifier that can
> withstand a change in its hosted provider unless the user owns his own
> domain name.  The average user won't know that they should (let alone *how
> *) add a layer of indirection to their OP-provided identity page in order
> to give themselves greater flexibility in the future and avoid vendor
> lock-in.
>
> The only way to achieve the second ideal then would be for the OPs to
> somehow have the capability to offer their users a Claimed Identifier that
> will survive even if the user chooses to cancel their account with that OP
> at a later date.  Even if this were technologically possible, convincing the
> major OPs (that most users will pick whether knowingly or unknowingly) to
> offer all their customers a default behavior that would make it easier for
> the customer to leave the OP would be very difficult.  From the OPs business
> perspective it wouldn't make sense to do that.  But of course from the
> user-perspective it makes perfect sense and should be done.
>
> I used to think that XRIs were the answer to the technological hurdle.  But
> unless the user is paying an annual fee for a root-level i-name and hosting
> the XRDS doc, the user is bound by an =*OP**name prefix to their i-name
> and therefore forever bound to that OP for their identity.
>
> Can anyone else suggest a solution to the technological and business
> problems associated with achieving ideal #2?
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
>
>
> On Thu, Jan 1, 2009 at 6:30 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
>
>>  I think this is the most important lesson (especially if UCI is the
>> actual vision, in contrast openid being a submarine reinvention of TTP IDPs,
>> a la Shib).
>>
>>
>>
>> I've felt for a long time that there have to be two services: one aimed
>> purely at the user (and not provided by OPs), and then one provided by the
>> OP. I kept experimenting with this distinction  over and over – but I always
>> felt like the wacky weirdo – especially once the directed identity service
>> from the OPs came along.
>>
>>
>>
>> After all, "Real" users just subscribe to Yahoo, Google, Myopenid OPs. But
>> those who fall prey to the indoctrination of those portal mindshare wars,
>> are not really getting "openid". They are just being drawn into the typical
>> hub-spoke networking model.  Its EDI all over again. Your free to send your
>> business document anywhere,  as long as they are a member of the same hub.
>>
>>
>>
>> We just have to  remember that, for business-class users, it's just not
>> enough to have an OP account(s) with your favorite portal(s)  (google, live,
>> pip), which provision you their various openids. You must have in additional
>> service, which is probably separate from that which any OP offers. In that
>> addition, you own and control the XRDS/HTML file – through which you can
>> express full control and get what the UCI in openid promises/promised.
>>
>>
>>
>> Ok. Lets test the reality.
>>
>>
>>
>> Is there a semi-commercial site out there, aimed at 50+ year old users,
>> that does little else other than allow such folks with pretty average IT
>> skills to maintain their (non-OP) identity page, featuring op selection
>> (i.e. reinforces the multiple-nyms concept) and delegation (allows control
>> over https authentication endpoints, and facilitate login portability)?
>>
>>
>>
>> I know I can sell the portability benefit of openid (as they all remember
>> the analogous (pre-Neustar) days …when phone companies would not let you
>> move your phone number between national carriers).
>>
>>
>>
>> Then, is there any "major" OP (google, live, yahoo, myspace?) that offers
>> _*both*_ services?
>>
>>
>>
>> It doesn't count as an "offer" if I, Jeanette the Realtor,  have to
>> literally edit an XRDS or HTML file or even conceive of tags, meta-anything,
>> denotational semantics or anthropomorphic identifiers with a polymorphic
>> bent (or any other wonderfully inventive logic that we computer scientists
>> love to talk about).
>>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/b38e34a8/attachment-0002.htm>

More information about the general mailing list