I’m pretty sure the reason multiple companies are involved isn’t because they just wanna get along; it’s because Facebook is killing all of them combined and their fearful of what the future will hold.

You guys pretend to be this open group of ideas that are sharing transparently with the public. “Anyone can contribute to our cause.” Bullshit. You (Plaxo, Google, Yahoo and MySpace) are merely pushing each others agenda and making decisions around how they’ll benefit each of you rather than how they benefit the community. This bullshit support of Google/Yahoo OpenID login buttons is a great example of that. Fuck Google. Fuck Yahoo. Those buttons aren’t what OpenID is about. It completely destroys its decentralization when an RP needs to pick and choose the OID providers they want to support.

You guys are full of shit and it’s too bad. I’d love to get behind you. Unfortunately you’re agenda is defined by your business and if either of you were in the position Facebook was, you’d be doing your own thing too.

In generally I totally agree that a system is needed to fill the rolls and functions that Chris Messina talks about above. I think my real beef against openID is one: that its early, just as Chris says.. and two that any “master key” needs to be extremely well thought out before presented to users.

My worry is that basic web users who see or try and learn about openID at this point in time are going to get confused or apprehensive and associate these feelings with the openID brand; This possibly could be negative to openID in the future.

I’m all for the fact the openID is currently out in the wild and evolving amongst us geeks. Maybe the problem is that this evolution and testing is taking place under the out-facing consumer brand? I’m not sure, but this thread has gotten me thinking about openID for the first time in a while. Which makes me glad I posted such a abrasive twitter reply to Chris (a post which was quite over dramatic.. such is twitter…

I agree that the “email me my password” is pretty common. So is people forgetting their OpenIDs! Ideally if we can get folks in the habit of identifying themselves on a regular basis with one (or two) identifiers that are also OpenIDs, good things can come from that. Today there’s just too much fragmentation.

At minimum, OpenID is no worse than the status quo.

There’s the problem. People want one final point where all their authentication is finalized. Chris Dracket was on to this when he suggested that people who cannot host their own OpenID solution would be reluctant to trust Yahoo, etc. But it’s not because it’s a third party big company. It’s because it doesn’t replace email as your “weakest link” point of ID verification.

A common usage model (more common than I think many of us want to think) for site validation, I fear, is this:
1) go to the site
2) “email me my password”
3) log in

Most people think of their email account as the center of their online universe, consciously or not. Unless you can get OpenID into people’s email clients you will always face the problem of people having to remember two passwords. Anything more than one is basically infinity.

In fact I think we’ll see quite a few single-use OpenIDs, in the sense of you just go thru the OpenID UI dance just once, to prove that you control the relevant page/account, and then after that, things are as they were. Many discussions of OpenID assume every day use. But we can have many specialist OpenIDs for different aspects of our lives, some linked publically, some linked privately … it’s a pretty rich ecosystem with many options possible.

For example, I might want to prove to some other site that I’m the account holder for http://www.advogato.org/person/danbri/ (eg. to use the trust ratings in http://www.advogato.org/person/danbri/foaf.rdf or something similar in microformateze). There are various ways I might do this, eg. by logging in there and wiring up a blogroll to have rel=me pointer to another account. But logging in with my Advogato OpenID seems a simpler workflow. Right now they don’t offer OpenID over at Advogato, but since even simple delegation would do the job, I think there are good reasons to expect this to change.

Chris – nice writeup. I think the citizenship angle is well worth pushing and I’d be very happy to see the Foundation emphasise it more strongly. And w.r.t. eggs in one basket, the inbox=master key argument can’t be repeated often enough.

Read again: ‘you’, not ‘your website’.

I’m not afraid of you sticking a 3G-enabled, DNS-referenced, server-capable chip under the skin of my forearm, but I’ve been very concern by your prejudice for quite some time.

You associate someone and their website, i.e. a unique URL that they fully control. It’s fine for A- or B-list bloggers, people whose work focus on building a personnal, public, digital brand on-line, but not for most people. Most people efforts are not centered aroung designing content for a website, within a team so small and talented they control, know and trust all the elements on it and can be assured all the meta-info fit their individual goals for self-projection. You are making the same ethnocentric mistake Stallman does when he assumes the only thing most people want to change on their computer is knick and bolts within the OS (while a majority are far more insterested in the desktop image). With that focus, I can’t promiss you higher adoption figures then GPL among mass market.

The reason so many have argued in favor of e-mail identifiers instead of URL is because they identify with it far more.

Many web professionals have their details distributed among many URLs (and no intention to make it coherent on one site).

Far more non-geeks have hardly any information outside of a few corporately controlled silos, that they identify as the corporation far more then with themselves. If you want an example of that “it’s the company, not me” in case, consider the recent uproar on breast-feeding and Facebook: were the interns censoring profile pics responsible? Obviously not: they simply answered the explicit request to do so, from one of the mother’s *friend*. The fact that Facebook is a tool for social relations (not unlike the phone) appeared completely oblivious — and people are now helding a protest against AT&T because their mother-in-law use offensive language on the phone.

You feel that it’s natural to point at a website and say “This is me”. As long as the people on the board you were apopointed to do not understand this is not spontaneous, I predict OpenID might stall. Some people point at a house and say “This is me”; some point at a car; some might consider a song, or a film: maybe a cellphone. For those, their licence plates, their myspace ID, their nickname or their cellphone number is the obvious identifier. When I write “obvious”, please understand that I mean: autistic, unable to comprehend other people’s different representation of the world, “Please get a clue and realize I actually /happen to know several ‘John’s/own several computers/was given this cellphone by my boss, for professional use only”.

For me (and many of your friends I’m assuming) it’s more natural to point at a laptop and say “This is me”. My natural identifier is my MAC address, and I would love the world to have a MAC-based Wifi for all, including an automated enforced return of stolen property: it would be safer, more secure, more convenient, obviouly more intuitive and easier. My main concern, being conneted at any time, could be resolved for everyone, including those who share their computer, or have several, those who don’t care and have no clue what MAC is, or that it is an ideal identifier. And this dream would autistically focus on one type of identifier, a different one then OpenID.

The fact that the extract that I’ve taken is under “Convenience” makes it all the more painful to me.

Regarding the comment that you are addressing: I had the impression that Chris Drackett was considering *perception* of safety and simplicity, not actual issues. Throwing a four page long technical essay on how de-facto safe things are make it all the more confusing, and frightening. My girlfriend things a street next to her place is unsafe; as it happens, there is a (overstaffed) Police Station in that street — but, because the paint on the walls is scaling, she finds it scary. Don’t try to increase security by doubling the officiers’ shifts: try to find out what color would make it look more reassuring.

Jason, regarding the key analogy,

Actually, this can be the case with digital ID cards, used in Universities, Hotels and shot-term rentals: all the locks have a list of allowed users, and every user has a single, unique ID. Logs compared to camera make the actual safety system, but keys are being reconsidered in that way, at least in comprehensive living environment.

Key will be to make the Open Stack ready. Facebook has won this round, but that’s a good thing – it’s driving adoption of the concepts and creating mass market awareness. History has proven empires and companies fail (no exceptions on that rule), so the Open Stack just needs to be ready to sweep when Facebook fumbles.

There’s time still, but let’s keep the train moving!