[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Fri Jan 2 03:19:39 UTC 2009

Andrew,

You gloss over #1 as a given, but I'm not at all convinced that it  
is.  There are at least four strong factors I've witnessed that are  
nudging the real world away from decentralization:

1)  The bundling of additional personal data and added services  
alongside OpenID-based authentication raises the deployment and  
information bar for any who hope to be able to play.  As the major  
providers gear up to offer a comparable service to Facebook Connect,  
I expect to see this wedge driven deeper, even if it takes the form  
of an "open stack" which could hypothetically be implemented by  
independent sites.
2)  The most elegant solution to discovery is a direct, friendly  
button.  Direct, friendly buttons don't lend themselves naturally  
towards very many providers.  Even if text boxes were used, it's  
unclear what the visual cues would be, since some providers would  
rather use email addresses, some would rather use XRI/URL with OpenID  
branding, and some would rather use their own branding.
3)  There is no trust framework.  An RP places a lot of faith in an  
OP to deliver users back safe and sound, even above and beyond  
properly authenticated.  When dealing with single major providers,  
there's some solace here, but when dealing with the broad unknown  
world, it could be a little scary for a service.
4)  Interoperability, or lack thereof, is pretty random.  We've seen  
countless demonstrations of that on this list in just the last few  
months.

Without addressing these, decentralization will face a serious upward  
battle.  With big centralized providers, it doesn't really matter  
much what the protocol under the covers is anyway.

Take care,
Nate.

On 2 Jan 2009, at 02:49, Andrew Arnott wrote:

> 1. OpenID achieves the decentralization of identity providers.  Kudos.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/ec64ded1/attachment-0002.htm>