Peter, I split your message off into a new thread because you bring up an excellent point that I believe merits further discussion, but is less related to the original thread.<br><br>I just want to add a few thoughts, all of which center on the <i><b>average</b></i> user.<br>
<br>First allow me to declare my assumptions on the average user:<br><ol><li>Will not own a domain name of their own and will not want to pay an annual domain name fee.<br></li><li>Will not understand what a web hosting service is</li>
<li>Will not understand XRDS or HTML tags.</li><li>(currently) Barely understands how they can log into some random site using their Yahoo! credentials, and doesn't know or care whether OpenID is used behind the scenes.</li>
<li>(currently) Has not heard of OpenID and has no idea how to log in with one.</li><li>(soon) Might use OpenID without knowing it by clicking on a big name OP that they're familiar with and using directed identity.</li>
</ol>Two ideals in OpenID (not a comprehensive list)<br><ol><li>OpenID achieves the decentralization of identity providers. Kudos.</li><li>OpenID promises provider-neutrality of your identity by allowing identity pages to be hosted independent of any OP that can be easily redirected to whatever OP the user wants to use.<br>
</li></ol>Both of these ideals of OpenID are very worthwhile and desirable IMO. But the second one cannot possibly come true for the average user as far as I can imagine. There is <i>no</i> way to have a Claimed Identifier that can withstand a change in its hosted provider unless the user owns his own domain name. The average user won't know that they should (let alone <i>how</i>) add a layer of indirection to their OP-provided identity page in order to give themselves greater flexibility in the future and avoid vendor lock-in. <br>
<br>The only way to achieve the second ideal then would be for the OPs to somehow have the capability to offer their users a Claimed Identifier that will survive even if the user chooses to cancel their account with that OP at a later date. Even if this were technologically possible, convincing the major OPs (that most users will pick whether knowingly or unknowingly) to offer all their customers a default behavior that would make it easier for the customer to leave the OP would be very difficult. From the OPs business perspective it wouldn't make sense to do that. But of course from the user-perspective it makes perfect sense and should be done.<br>
<br>I used to think that XRIs were the answer to the technological hurdle. But unless the user is paying an annual fee for a root-level i-name and hosting the XRDS doc, the user is bound by an =<i>OP*</i>name prefix to their i-name and therefore forever bound to that OP for their identity.<br>
<br>Can anyone else suggest a solution to the technological and business problems associated with achieving ideal #2?<br><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Thu, Jan 1, 2009 at 6:30 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I think this is the most important lesson (especially if UCI is
the actual vision, in contrast openid being a submarine reinvention of TTP
IDPs, a la Shib). </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I've felt for a long time that there have to be two services:
one aimed purely at the user (and not provided by OPs), and then one
provided by the OP. I kept experimenting with this distinction over and
over – but I always felt like the wacky weirdo – especially once the
directed identity service from the OPs came along.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">After all, "Real" users just subscribe to Yahoo, Google,
Myopenid OPs. But those who fall prey to the indoctrination of those portal mindshare
wars, are not really getting "openid". They are just being drawn
into the typical hub-spoke networking model. Its EDI all over again. Your
free to send your business document anywhere, as long as they are a member
of the same hub.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">We just have to remember that, for business-class users, it's
just not enough to have an OP account(s) with your favorite portal(s)
(google, live, pip), which provision you their various openids. You must have in
additional service, which is probably separate from that which any OP offers.
In that addition, you own and control the XRDS/HTML file – through which
you can express full control and get what the UCI in openid promises/promised.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Ok. Lets test the reality.</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Is there a semi-commercial site out there, aimed at 50+ year old
users, that does little else other than allow such folks with pretty average IT
skills to maintain their (non-OP) identity page, featuring op selection (i.e. reinforces
the multiple-nyms concept) and delegation (allows control over https authentication
endpoints, and facilitate login portability)?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I know I can sell the portability benefit of openid (as they all
remember the analogous (pre-Neustar) days …when phone companies would not
let you move your phone number between national carriers). </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Then, is there any "major" OP (google, live, yahoo,
myspace?) that offers _<i>both</i>_ services?</span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">It doesn't count as an "offer" if I, Jeanette
the Realtor, have to literally edit an XRDS or HTML file or even conceive
of tags, meta-anything, denotational semantics or anthropomorphic identifiers
with a polymorphic bent (or any other wonderfully inventive logic that we
computer scientists love to talk about).</span></p></div></div></blockquote></div><br>