Johannes Ernst has responded to my post on what I view as a problem for OpenID – the proliferation of OpenID Providers without the emergence of Relying Parties that use them. First of all, let me state for the record that I am a big fan of OpenID, and in no way view this problem as being one that will cause OpenID to “die out”, as Johannes seems to think. I actually think OpenID will become part of the solution to our current internet problems of credential blowup, and look forward to that becoming reality. But, like Johannes, I want that day to arrive sooner rather than later. And anything that I see causing that to get pushed out a few more years concerns me. The intent of my post was to elicit just such a response from someone involved with OpenID like Johannes, and then dig a little deeper to figure out what needs to happen next.
Now, in his post, Johannes points out the reality of OpenID adoption – that it is a classic chicken-and-egg problem. As he points out, becoming an OpenID Provider is quite easy and relatively harmless (though reliability concerns do enter the picture), and mainly strategic in nature. On the other hand, becoming an OpenID RP has many more considerations and is far more operational, and therefore risky, in nature. By the very necessity of its invention, OpenID has to achieve critical mass in certain classes of IdP before it can be poked and tested to make sure that it is safe and reliable enough to support RPs. The adoption curve for any technology usually follows this kind of path, and so it is with OpenID. Today the RPs are mostly blog commenting systems and simpler, less sensitive services. Tomorrow, you could be using OpenID to authenticate to your online banking account. But there is a lot to be solved and proven along the path from point A to point B.
So if this path is exactly as it should be, what is there to be concerned about? Well, I guess I should have been more explicit in my last post. The thing that worries me is that the thinking seems to be that there is a lot more value in “owning the silo” - in other words, being an IdP than an RP. So even if the OpenID industry does all the right things, will we ever get to the point where the number of OpenIDs a person has is a manageable number (the true intent of OpenID)? The way that the heavy hitters are rolling out their OpenID Providers leads me to wonder if the “exclusive” arrangements that are starting to pop up in RPs are going to become the norm, forcing users to maintain OpenIDs with a large number of Providers.
Obviously John Q. Public knows little, if anything, about OpenID. So expecting them to understand the message “Log in with your OpenID” on a website is irrational. The solution right now seems to have become websites displaying the message “Log in with your Yahoo ID” (which behind the scenes converts it into the requisite OpenID). This is a neat trick, but creates exclusive IdP-RP relationships that (in some sense) violate the spirit of OpenID. And given that these same heavy hitters now own many of the web properties that I would expect to be RPs (why is FlickR an IdP and not an RP?) makes me wonder if true OpenID adoption is getting pushed out by a few years, effectively postponing the work that needs to be done to make the OpenID system more robust in nature.
Maybe I’m being too pessimistic about all this. But as of today, I have accounts in about 60 different places that I actively use, and only 3 of them are an OpenID RP. I want to move on to the next level, and am wondering what needs to happen to precipitate that.