Brian Kissel announced this morning that PayPal has joined the board of the OpenID Foundation as our sixth corporate member, with Andrew Nash, Sr., Director of Information Risk Management and a longstanding advocate for OpenID, as their representative.
That PayPal has joined is certainly good news, and helps to diversify the types of companies sitting on the OpenID Foundation board (PayPal joins Google, IBM, Microsoft, VeriSign and Yahoo!). It also provides a useful opportunity to think about how OpenID could be useful (if not essential) for financial transactions on the web.
For one thing, PayPal already relies on email addresses for identification, and one of the things that I’m strongly advocating for in OpenID 2.1 is the use of email-style identifiers in OpenID flows.
Given that PayPal already assumes that you are your email address, things become more interesting when a company like PayPal starts to assume that you are your OpenID (regardless of the format). With discovery, your OpenID could be useful not just as an indicator of your data resources across the web (essential in cloud computing), but could also be useful for pointing to your financial resources. Compare these two XRDS-Simple entries (the latter is fictional):
<!-- Portable Contacts Delegation -->
http://portablecontacts.net/spec/1.0
http://pulse.plaxo.com/pulse/pdata/contacts
<!-- Payment Gateway Delegation -->
http://portablepayments.net/spec/1.0
http://paypal.com/payment/
From this simple addition to your discovery profile, third parties would be able to request authorization to payment, without necessarily having to ask you every time who your provider is. And of course no payment would be disbursed without your explicit authorization, but the point is — sellers would be able to offer a much more seamless payment experience by supporting OpenID and discovery.
The pieces are more or less in place here, and with PayPal on board, I think that we’re starting to see how OpenID can be used to smooth the on-boarding process for any number of routine tasks — from specifying where you store your photos to pointing to the service(s) that you use for payment.
I commonly use the metaphor of credit cards for OpenID. One thing that makes credit cards convenient is that the 16-digit unique ID on each card is embedded in the magnetic strip, meaning that it’s trivial for consumers to just swipe their cards rather than typing in their account number. OpenID and discovery, combined, provides a similar kind of experience for the web. I think we need to keep this in mind as we move the state of the art forward, and think about what can be accomplished once people not only have durable identity on the web — but can use those identifiers to access other forms of real-world value (and can secure them however they see fit).
Factory Joe 
If PayPal was to support something similar to the XRDS example you provided above, and some online stores were to support OpenID, that’d be killer. It’d be great if you could simply go to Amazon, enter in your email address (or OpenID), approve the request, and have it already know your shipping information and your PayPal account. That would certainly make it easier to become a first-time customer at an online merchant like Amazon.
Not sure if having your payment instruments being automatically discoverable is a good thing. Broadcasting to the world that your OpenID has a credit card behind it is asking to have your account targeted for cracking.
Not a bad point, Allen, but couldn’t you say the same about email-based PayPal accounts? I mean, I suppose email addresses have, by their design, less “surface area”… but just because a payment gateway is specified doesn’t mean that there’s any, or much, money behind it.
As well, I’d think that there’d be both legal and anti-fraud contingencies that would apply here.