[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Wed Jan 14 13:34:46 UTC 2009

Hi Martin,
I was thinking more about your point on how users are already accustomed to
being represented by their ISP for email.  You have a good point there.  In
fact, I've become convinced that there is no way to allow a user to maintain
his own OpenID identity independent of any OP or ISP given the profile of a
common Internet user today.

But then it dawned on me: InfoCard!  I mean, yes of course I knew what it
was before, but after fully appreciating how difficult it could be to
achieve this self-hosting identity in OpenID, I came to more fully
appreciate how elegantly simple and exactly right InfoCard is.  The user
truly is completely hosting their own self-issued cards.  To the point where
there is no OP or ISP in the mix at all.  Sounds pretty good to me.

Of course, I still feel OpenID has a huge space.  It's easier to accept
OpenID than it is to accept InfoCard for a web site (for instance: RPs don't
have to implement HTTPS for it to be secure and replay-protected for
OpenID).  I'm just not sure how big that space is in relation to InfoCard
any more.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire

On Thu, Jan 1, 2009 at 7:09 PM, Martin Atkins <mart at degeneration.co.uk>wrote:

> Andrew Arnott wrote:
> >
> > Both of these ideals of OpenID are very worthwhile and desirable IMO.
>  But
> > the second one cannot possibly come true for the average user as far as I
> > can imagine.  There is *no* way to have a Claimed Identifier that can
> > withstand a change in its hosted provider unless the user owns his own
> > domain name.  The average user won't know that they should (let alone
> *how*)
> > add a layer of indirection to their OP-provided identity page in order to
> > give themselves greater flexibility in the future and avoid vendor
> lock-in.
> >
>
> As with most things in OpenID, we can look to email for inspiration.
>
> Email suffers a similar problem. Most users get their email address from
> a provider whose domain is reflected in the email address. How do users
> deal with this problem for email? There are a number of answers:
>
> * They don't. Most users are quite happy with the idea that they're
> attached to a specific provider and that their email address will change
> if they move providers.
>
> * Third-party services provide the layer of indirection. This can either
> just be another service provider domain such as bigfoot.com (though
> arguably this doesn't solve the problem at all) or an all-in-one
> "register a vanity domain with us and we'll forward your email for you"
> package as offered by hundreds of domain vendors.
>
> * Users buy their own domains and set up their own email servers, or pay
> someone else to do it for them. This is how businesses often approach
> this problem; most companies with more than a few employees have their
> own email domain.
>
> All three of these answers can equally apply to OpenID. The second
> relies on a service that is not commonly available for OpenID today, but
> there are already small examples of it out there, such as freeyourid.com.
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090114/f89455c7/attachment-0002.htm>