Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

The blogged wandering of Robert W. Anderson

OpenID isn’t ready for prime time

The other day, I wrote How many OpenIDs do I need?  The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs.  Having bought into the hype of OpenID I have since:

  • Read various critiques and articles supporting OpenID.
  • Added OpenID comments to this blog. 
  • Got an i-name, =rwa, to act as my public OpenID.
  • Began tracking OpenID on Twitter.
  • Participated in discussions about OpenID in financial services.
  • Tried to Demand OpenID, only to find my OpenID verification failed : (

All together, I’ve come to a few conclusions.

Users assume OpenID has a trust layer

Track OpenID on Twitter and you’ll see what I mean.  Here is one example:

  • (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
  • me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
  • (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
  • me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.

OpenID is intended to provide identity, but without trust.  Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all.  It reports “trusted” to anyone who asks.  Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.

Relying Parties don’t have any reasonable way of determining trust levels for Providers

Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot.  I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP.  That means that they manage user authentication in a reasonably secure way.  I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.

So some can’t be trusted.  In addition to the example OP above, what about the numerous self-hosted OPs that are springing up? 

How is a Relying Party to distinguish between all these different OPs? 

It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).

Fair enough, but how are services to deal with this issue today?  I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs.  But that is a brittle system to say the least.

And more

On top of this, there are many technical issues that are being raised about OpenID.  These range from security issues to privacy issues and much more.  A good round up can be found here: The problem(s) with OpenID.  Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.

OpenID isn’t ready for prime time

OpenID shows a lot of promise and has real value in some current use cases.  Google Friend Connect stands out,  as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with, OpenID might make sense).

The OpenID hype is getting way ahead of what the technology can deliver.  People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption. 

The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.

It just isn’t ready for prime time.

Tags: , , , ,

Yahoo not in Microsoft

I had to drop off the emergency Gillmor Gang last night before I had a chance to give my thoughts on the Microsoft / Yahoo deal.  Not only did Steve call an emergency Gang, but it looks like the blogosphere did as well.  Anyway, here is what I think:

All bad for Yahoo

  1. Yahoo fought the deal, lost a bunch of key employees, increased “golden parachutes” for employees, etc.  While Yahoo didn’t ask for a takeover bid, it was pretty clear Ballmer was going to go after Yahoo again.  Jerry Yang should have been ready, but wasn’t.  His response was to take measures which make it harder for the company to do business as an independent.
  2. Yahoo’s stock price is about to plummet.  My guess is well below its price before this all started.
  3. And, investor lawsuits. 

Mixed for Microsoft

  1. Ballmer spent a lot of time and money on this and came up short.  Unless he had the secondary goal of sabotaging Yahoo this was just a waste of time and money.  Clearly he thought he could get it done, but he didn’t, and he failed there.
  2. Merging the companies together would have been very difficult culturally — and I think a long hard slog for everybody involved.  Good thing this is avoided.
  3. Microsoft still needs to jumpstart their advertising revenues.  It really isn’t clear how they do this.  Live Mesh is a longer term play for building a stick and highly compelling services platform.  This will convert to ad revenue, but not very quickly.

The real issue for Microsoft is how to convert the (still strong) Office / Windows revenues into a sustainable and growing advertising platform.

What I think Microsoft needs to do now:

  1. Robert Scoble says that Live is a damaged brand.  Building cool services won’t fix this on its own.  Microsoft needs to fix this by defining Live in a way that is clear.  Live can’t be all things to all people!  Define it.
  2. Windows Vista is a damaged brand.  While this is slightly off the topic of a services platform, it is dead center on the Microsoft definition of S+S.  They need to fix this.  The whole “Vista Ready” fiasco really informs what Microsoft did wrong here.  Number one priority for Microsoft on Vista should be to make it as performant and stable as XP. 
  3. Wait.  Keep building out their very cool services and dev platform.  Get a Silverlight Office out.  Keep an eye on Yahoo.  Maybe after Yahoo gets hammered, the economics will make sense.

Microsoft clearly has had a two-pronged strategy here: build and buy.  Buy is out for now — as it isn’t clear what other acquisitions get Microsoft what they need — but build is going like crazy.  The problem with build alone is that it only works accompanied with brand.  So I think the real question is:

How will Microsoft fix their brand woes?

Tags: , , , , , ,