In response to my post about the lag in OpenID RP adoption, Mark Workel asked the following questions:
1. What are the strategic advantages of becoming an IdP?
2. As a consumer or RP, how do I know if an IdP is reliable?
I don’t think I can authoritatively answer these, but I do have some thoughts. And keep in mind that these points apply to any IdP-RP based technology, not just OpenID (think of Facebook Connect opening itself up to be an IdP to other applications).
What are the strategic advantages of becoming an IdP?
Well, for one, you get all the marketing buzz associated with doing something with an emerging, potentially game-changing standard. And marketing buzz is always good, especially when you can get it relatively easily (as Johannes points out).
Secondly, being an IdP allows you to hold onto the all-important identity data that is the fuel of any IdP. This is tied to the continuing value associated with “owning the identity silo”. And it gives you a way to even expand that identity database, since you (presumably) have other websites (RPs) redirecting new users wishing to use their services to your sign-up page.
Also, it would appear that becoming an IdP gets you a pass on having to become an RP. The large identity stores to join the foundation board, can all say they did something with OpenID, without having to tackle the difficult and (probably from their point of view) less desirable task of opening their systems up to rely on other parties as RPs.
As a consumer or RP, how do I know if an IdP is reliable?
You don’t. That is probably the chief reason why RP adoption is not taking off. As even Scott Kveton over at the OpenID foundation has said:
OpenID has two challenges it faces to increase adoption and use; security and usability
This isn’t much of an issue now since the RPs that openly support OpenID (pardon the pun) don’t have major security requirements. And the ones that need a little more reliability are going the restricted OpenID Provider route (“log in with your Yahoo ID”).
Without the security thing figured out, its going to be hard to figure out whether an IdP is reliable or not (whether you’re an RP looking for an IdP to rely on, or a consumer looking to sign up for an OpenID somewhere). Hopefully something like the Identity Assurance Framework will emerge as a way to properly advertise the level of security and reliability a particular IdP provides.
In the same post, Scott says:
security and usability will be key drivers to OpenID adoption moving forward
They’ll be more than just drivers. Solving those issues will break the dam that is currently holding widespread adoption back.