Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

The blogged wandering of Robert W. Anderson

OpenID isn’t ready for prime time

The other day, I wrote How many OpenIDs do I need?  The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs.  Having bought into the hype of OpenID I have since:

  • Read various critiques and articles supporting OpenID.
  • Added OpenID comments to this blog. 
  • Got an i-name, =rwa, to act as my public OpenID.
  • Began tracking OpenID on Twitter.
  • Participated in discussions about OpenID in financial services.
  • Tried to Demand OpenID, only to find my OpenID verification failed : (

All together, I’ve come to a few conclusions.

Users assume OpenID has a trust layer

Track OpenID on Twitter and you’ll see what I mean.  Here is one example:

  • (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
  • me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.

OpenID is intended to provide identity, but without trust.  Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all.  It reports “trusted” to anyone who asks.  Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.

Relying Parties don’t have any reasonable way of determining trust levels for Providers

Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot.  I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP.  That means that they manage user authentication in a reasonably secure way.  I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.

So some can’t be trusted.  In addition to the example OP above, what about the numerous self-hosted OPs that are springing up? 

How is a Relying Party to distinguish between all these different OPs? 

It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).

Fair enough, but how are services to deal with this issue today?  I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs.  But that is a brittle system to say the least.

And more

On top of this, there are many technical issues that are being raised about OpenID.  These range from security issues to privacy issues and much more.  A good round up can be found here: The problem(s) with OpenID.  Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.

OpenID isn’t ready for prime time

OpenID shows a lot of promise and has real value in some current use cases.  Google Friend Connect stands out,  as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with, OpenID might make sense).

The OpenID hype is getting way ahead of what the technology can deliver.  People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption. 

The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.

It just isn’t ready for prime time.

Tags: , , , ,

Come on Google, support i-names for OpenID!

Playing with the Google Friend Connect demos last night, I found that my i-name doesn’t work as an OpenID.  No big deal, after all it is a preview release.

Today I went to add a comment on a blog and tried my i-name there.  Nope.


What’s up, Google?  Why aren’t you supporting i-names?  Oversight, planned for release, bug, or politics?  I really hope it isn’t the latter.

Tags: , , ,

Google Reader or TypePad getting confused?

Today while using Google Reader, the feeds for Recognizing Deven ( and flow|state ( have both been serving the London Blog (which I have no interested in reading).

Is this a bug in Google Reader or TypePad?  Anyone else experiencing this?


And congratulations to Mr. Farrell for giving up the drink.

Tags: , , , ,

Google Reader Misappropriated Our Shared Items

image_thumb[1]Earlier in the week I stopped using Google Reader for a few days.  Every time I started it, I would be reminded of their new sharing features (see the dialog on the left).  Then I would close the browser tab. Why?

Google changed the Reader user-contract with no notice.  This rankles me.  I’ve lost control of my shared items.  This is a dramatic change with only the weakest of opt-outs.  What’s more, any opt-out is too late.  My items have already been shared.  What kind of opt-out is that?

Oh, but there are more options.  They give us the ability to manage who gets to see our shared items.  But only after others have a chance to read them.  For example, I can hide my items from my “friends” who are on Google Reader.  Other “friends” that start using Google Reader will get to read my shared items immediately.  The onus is on me to make sure I actively manage the list. 

And the icing on the cake?  “Friends” wasn’t a word in use by Google Reader before.  Now it has been defined to mean my Google Talk contacts.  No fair.  This is not analogous to Facebook “friends”.  In Facebook, I accepted people as “friends” based on the Facebook definition.  Now my Google Talk contacts are my “friends” based on Google’s new definition.  This is clearly backwards. 

Is Google breaking their terms of service?  Almost definitely not, but they are changing a basic part of the user-contract: that user data won’t become more public without user consent. This is a perfect example of the “User-Beware contract“, summed up as: “we’ll change the user contract whenever we feel like it.”

What’s next? 

Your email contacts have been shared with your friends

Your emails have been shared with our advertisers

You calendar entries have been shared with your . . .

You get the idea.  This may seem like a joke, but frankly I don’t know what is in store for the user contract.

Steve Gillmor suggests this is arrogance on Google’s part, and he’s probably right.  Yet mostly people are ignoring this or don’t get it (e.g., Scoble doesn’t seem to get why anyone would care). 

Why is the blogosphere giving Google a free pass on this one? 

Tags: , , , , , ,

OpenSocial payback?

Many are calling Google’s OpenSocial play an apparent retaliation against Facebook for their recent Microsoft deal.  The reasoning is that both Microsoft and Google were bidding for a Facebook ad deal.  Microsoft won, so Google is going to make Facebook, and by extension Microsoft, pay.

Perhaps it is payback, but certainly the OpenSocial strategy predates the Microsoft agreement.  Not even Google could pull this whole thing off in just a few weeks.

This begs some questions:

  • Did the losing proposal from Google include OpenSocial?  Did it require that Facebook adopt the APIs?  Did that push Facebook to Microsoft?
  • Alternatively, was Facebook threatened with OpenSocial as a retaliation?  That is, did Google offer to shelve OpenSocial if Facebook accepted a Google deal?

It isn’t yet clear (to me anyway) whether or not Facebook was briefed on OpenSocial.  Google said yes, then no.  Facebook said no, but some evidence points to them actually having known. 

  • Are these differing stories rooted in non-disclosure agreements dating from the failed negotiation between Google and Facebook?

Final question:

  • Does anyone really believe that Google would have shelved the OpenSocial strategy just for an ad deal with Facebook? 

I for one do not.

For an excellent post on Facebook / OpenSocial, read Dan Farber.

Tags: , , , ,

Good Lawford

Steve breaks radio silence and admits he is a pooka (from Bad Sinatra).

A lot of good stuff in this post, but I want to highlight one part. 

I posted the other day about the deprecation of the Google API.  My take: good for the Google; bad for the gaggle (i.e., the application developers).  Fun to talk about, but there are pragmatic solutions to this.  Something to be scared of?  No.

We (the users) needn’t be scared of vendor choices like this.  Why not?  Because nobody is forcing us to use these services.  As Steve says:

Who am I supposed to be scared of? Google? Nope, if the Ajax API and the terms of service around including unaltered adsense are so counter to user interest, that will precipitate a decline in usage and therefore less adoption of Google properties. Seems self-correcting to me: user votes, user wins. Why do we need saving here?


Tags: , , , , ,

Don Box and Dave Winer agree

Two guys who know a thing or two about web services and APIs think the new Google Search API is a step backwards.  I agree.

My guess is that some high up at Google thinks of it as a step forwards.  Perhaps someone asked the question:

Why are we providing search results into arbitrary applications, when in fact, we are in the business of serving ads on Web pages?

An AJAX-only API is a fine way to do just that; but like Don Box says:

No matter how you define “web service,” I don’t think this newest offering qualifies.

I’m hoping this is just an anomaly and not a trend, lest we all fall back into the world of opaque/closed protocols.

Google doesn’t have to provide open and interoperable APIs to the world; but, I bet others will. 

Tags: , , , , , ,

Google and the honeymoon

A lot has been said about Google complaining to the government about IE7 (from NYT).

Don Dodge says that Google’s honeymoon is over. Perhaps this is true. Their complaining about the way search is handled in IE7 does seem disingenuous.

In the past I’ve said that Google’s goodwill will wane. From Dave Winer’s Geek Dinner for Scoble with relevant excerpt here:

Google has enjoyed a great deal of popularity as an answer to Microsoft’s dominance. They have a stockpile of goodwill and trust from people simply because they are not Microsoft. This is not permanent. The bigger they get, the more profitable they are (if that’s possible), the more people they piss off with their own kind of over-reaching, the more this is going to wane.

Google has some great products, of which search is #1. But, please Google, don’t try to lock in your users by complaining. Do it by making your products better.

Tags: , , ,

Google gives AOL what?

I have posted several times about the Microsoft / Google debate, making the point that the trust / faith people give to Google is beginning to wane. The news in the NYT about the AOL / Google agreement brings me back to this same point.

Like many, I am surprised at the deal Google struck with Time Warner for AOL. It isn’t the $1 Billion for 5% of AOL. That seems like a lot, but hey, they print money at the “plex”, don’t they?

But, preferential placement for AOL content throughout the Google services?


One of the things that got people to trust Google in the first place was their stance on preferential treatment. So Google search users will get directed to AOL content instead of more-relevant content? John Batelle reports that (essentially) sponsored AOL links won’t be marked as such. (For those who don’t subscribe to the NYT, Nicholas Carr excerpts some of the article).

Google taught us that sponsored links should be marked; and so, have trained us to trust them. With AOL, they will violate this trust — go against what they have trained us to believe.

So, can we trust Google search if the AOL deal is consummated?

Can we trust it now?

Tags: , ,

Microsoft done for?

Robert Scoble is spending a bit of time refuting this point. The latest post is here where he refers to responses to the current company meeting.  He is in a good position to refute these claims as he has a broad view of what products are coming at Microsoft.

I do find the premise that “Microsoft is done for” a bit naive.  I’m sure people have reason to be skeptical about recent management changes, execution of new projects, and as far as I know, concerns about company morale and cohesiveness. 

But, so many are so anxious to relate the story of Microsoft’s imminent demise that they are not seeing straight.  People keep looking for the next big thing and then making the connection that is the Microsoft killer. 

Linux was going to dethrone Windows.  Well, no.  Certainly very many machines that might be running (and licensing) Windows are running Linux; however, the growth of new machines running Windows is phenomenal.  Microsoft is winning this battle.

Now Google is going to dethrone Microsoft.  How again? 

  • With the best search engine out there?
  • With the best mapping / sattellite software?
  • A new special-purpose OS (quick, everybody: rewrite everything!  Microsoft will be buried in a year!).  (Dan has recently posted some thoughts on this)
  • With new applications for Windows?  A new Word processor?
  • In the enterprise? 

I see much more opportunity for synergy between these companies than one destroying the other (I actually have tremendous respect for Google, by the way).  I can understand why there is a battle here starting with the search engine (and going down into the OS).  Microsoft wants to be the top search engine (eyeballs equate to revenues in the search market).  But, this doesn’t equate to Google causing Microsoft’s demise.

And of course, Microsoft is not sitting still and waiting to be destroyed by anybody.  Not only are they creating new products (and product features), but they are working on a bigger more connected vision that is actually pretty cool.

I think the big problem is that the Microsoft haters will always hate Microsoft.  These people revel knowing that Google and Microsoft are at war and hope they have finally chosen the right horse. 

Anyway, I think the reports of Microsoft’s death are greatly exaggerated.  (apologies to Mark Twain).

Tags: , ,

« Previous entries