Identifier portability: the fundamental issue

[Hans Granqvist]

Chris Drake wrote:
> There seem to be a lot of people on this list who want to hate and
> loathe the IdP, and grant all power to the RP.  I do not understand
> this reasoning:  our users will select the IdP they trust and like,
> then they will be using a multitude of possibly hostile RPs
> thereafter: the reverse is simply not true.

My assumption (which I am careful to not proclaim as truth) is that
there won't be many IDPs around once the OpenID dust settles.

Sure, there will be the run-in-the-basement ones, but for 
business-critical needs an IDP must spend a lot of money: maintain 
provable privacy of data, keep uptime, supply enriched services related 
to stored data, etc.

Today's main internet companies can afford to invest in that, and they 
will also probably compete by adding OpenID access to their existing 
user base.

Furthermore, many RPs will require a user to have an account with one or
a few of these mega-IDPs.  If there's money at stake, the RP would want 
to minimize risk.  It's all about RP peace of mind. So few small IDPs 
will survive.  Feel free to compare search engines and
how a few big companies have all but obliterated the market.

Hostile RPs are easy to handle. You just take your business elsewhere. 
But if an IDP decides to boot you when you're no longer indirectly 
promoting them using their identity URLs, you could stand to lose quite 
a lot.

Hans