OpenID, Trust, Vendor Locking and Delegation

There is a lot going on about OpenID these days and a lot of claims are being raised which prevents greater adoption of OpenID by users.

One of these claims is about Trust and Vendor Locking. How can I trust a certain OpenID vendor? after all, gaining access to my OpenID account will give access to all of the sites I’ve signed in/up using OpenID.

This is a legitimate claim, since it reminds everyone of how Microsoft Passport.NET Live ID is not that successful being a one vendor, non transferable identity.

One of the key elements of OpenID is that it’s decentralized and there is no one body that controls it but if a user signed up to a certain OpenID vendor they are essentially locked into that vendor unless they have the proper skills or items that allows them to perform delegation.

Having delegation is exactly the thing to make all of these claims go away since delegation give the power back to the user. The underlying OpenID vendor will supply the service but everything MUST go through the user’s domain to get to the vendor, thus allow the user to change vendors without being locked in.

The problem with delegation, however, is that it requires a certain amount of preparation. You either need to have your own site/blog and add the necessary <head> tags or you need to use a service like FreeYourID.com (I’ve previously written about it here) which gives you a URL composed out of your name (using the .name domain).

The problem with the solution of FreeYourID.com is that its only one .name vendor that provides this service. Although they are responsible for the whole .name TLD it is still a sort of vendor locking. If all .name providers will support such a service, things will look much better.

To sum things up, a possible answer for the claims about OpenID, Trust and Vendor Locking is to simply highlight the benefits of delegation and provide all of the necessary technical means needed to make this as easy as possible.

Below is a list of a couple of ideas I thought about (some are more of a wishful thinking since it doesn’t depend on the OpenID community alone) which might make things easier for everyone:

  • Support for OpenID for .name domains available with all the .name providers
  • Built-in support for Delegation in blogging platforms including hosted ones such as WordPress.com, Blogger, TypePad and the rest (for WordPress blogs that you are on your own server/domain you can use my OpenID Delegation plugin :-) )
  • Support for migrating existing accounts in existing sites to an OpenID account, thus allowing users to consolidate their various accounts on various sites into an OpenID account.
  • Support for migration of accounts between OpenID vendors including support in the OpenID spec to figure out a permanent redirection and perform a necessary fix up (similar to a permanent redirection performed in HTTP).

Technology is suppose to make things easier for everyone and lower the barrier of participation so that everyone, regardless of their skills, can use technology for their benefit. Let’s lower the participation barrier for OpenID and let everyone claim their own identity.

7 thoughts on “OpenID, Trust, Vendor Locking and Delegation”

  1. Good post. I would even go so far as to say that without delegation, OpenID is a terrible idea…

    I first heard about this new “OpenID thingy” when I signed up for a Zooomr (http://www.zooomr.com) account last year. Since then, I’ve done a lot of research on it and think it will become a terrific and revolutionary technology. There are some problems that need to be addressed in the security arena, but I’m confident they will be addressed because a lot of smart people are talking about the problems and working on solutions.

    Once I learned about the technology, I decided to use my domain name as my OpenID and delegate to MyOpenID.com as my identity provider. Well, I discovered a problem: my Zooomr account (which is a Pro4Life account) was created using my initial OpenID tied to the myopenid.com domain name. That means I’m stuck. In the unlikely event that MyOpenID.com goes belly up or decides to start charging for services, I’m out of luck. My lifetime pro account with Zooomr is tied to the OpenID associated with the myopenid.com domain name. I can’t sign in to Zooomr without them. This won’t be a problem with any other services in the future because I’m using my own domain name. I can change identity providers whenever I want or even run my own on my server; I own the domain name so I own the keys. But, I don’t own the keys to my Zooomr account.

    So, I think people should be discouraged from using anything as an OpenID other than their own domain name. Otherwise, whatever accounts they create will be permanently tied to their choice in identity provider. This is probably less of a problem with MyOpenID.com, since it is a service by JanRain (developers of OpenID), but for people who choose a less establish provider, they may well find themselves locked out of their accounts if that provider goes out of service.

  2. [Apparently, my comment got lost between submitting and registering with this blog. This is a second attempt…]

    Good post. I think your point about the problem of vender locking is quite important. In fact, I would go so far as to say that people should not use OpenID without using their own domain name. To do otherwise is to completely lock yourself into a particular identity provider and limiting your ability to access your accounts based on their availability.

    I first heard about this thing called “OpenID” when I signed up for a Zooomr account last year. I followed a link on their site to create an OpenID with MyOpenId.com. Since then, I’ve done a lot of reading about OpenID and think it is a fantastic idea that will really take off in the future. (The are security concerns that need to be addressed, but a lot of smart people are talking about them and working on solutions and I’m confident they’ll be worked out.) Since getting into the whole OpenID movement, I naturally decided to use my domain name as my OpenID (while still using MyOpenID.com as my identity provider).

    Now, the problem is that my Zooomr account is tied to my old OpenID. Essentially, my ability to access my Pro4Life (lifetime pro account) with Zooomr is dependent on the continued availability of my OpenID with MyOpenID.com. If they ever stop offering services or charge for their services, I’ll be cut off from my Zooomr account. … This kind of scenario won’t be a problem in the future because now that I use my domain name as my OpenID, I control the keys to my accounts. I can change identity providers whenever I want–or even run my own OpenID service on my server. In reality, I doubt I have much cause for concern because MyOpenID.com is probably the last identity provider that would go belly up, but even so you never know. It’s not too hard to imagine a scenario where a user creates an OpenID with some identity provider (such as “OpenID-Startup.com”) and then creating lots of accounts with different services using that OpenID only to find one day that OpenID-Startup.com went belly up and is no longer in business. Suddenly, the user can’t access any of his accounts!

    True, companies that allow users to signup using an OpenID could provide a method of associating multiple OpenIDs with the account.I’d consider this an essential element of an OpenID implementation. (It appears this blog is one such application.) But, the typical user isn’t going to (A) have more than one OpenID, (B) go to the trouble of associating multiple OpenIDs with every account he or she creates. So, once OpenID-Startup.com goes belly up, it’s too late…the user can’t sign in to add an alternate OpenID provider.

    To summarize a long comment: the only way to truly avoid being locked into a particular OpenID vendor is to use your own domain. Zooomr people: If you happen to read this, let me change my OpenID!

  3. Andrew, I usually approve comments, so if they are not appearing straight away that’s OK. Your first comment did not vanish, it was pending approval. I’ve approved both of them (just in case you added something additional in the second one).

    Regarding your problem, it is not true you need your own domain.

    The problem in some cases is that if you register to a site that supports OpenID and also act as a Provider (provides you OpenID like Zooomr) as opposed to just being a Consumer (like this blog) you might be in a problem here and that’s something that most users don’t really mind.

    Your URL is in Zooomr not MyOpenID so if MyOpenID go broke (and I doubt they will any time soon) Zooomr may simply select to change their underlying OpenID provider (which in this case is MyOpenID) so I’m guessing here, there won’t be a problem with that. Of course, taking it to Zooomr would be the best place to get a complete and true answer.

    If you register to an OpenID provider such as MyOpenID (or any other for that matter) prior to joining sites such as Zooomr and you use delegation with your blog, you won’t have a problem.

    Perhaps you can talk with Zooomr and ask them to re-associate your account with a different OpenID. That way you’ll be able to switch to your own domain.

    Regarding multiple OpenIDs, have you seen Jyte (http://www.jyte.com), they let you associate as many OpenID as you have with your account. Perhaps you can convince Zooomr to do the same…

  4. True, you don’t _need_ your own domain as long as websites that accept OpenIDs have a mechanism for changing your OpenID. All sites that accept OpenID should have a way to:
    1. Associate multiple OpenIDs with the account (like Jyte, Ma.gnolia, and others)
    2. Initiate an account recovery in the event that a user’s OpenID identity provider goes out of business and the user hadn’t bothered to take advantage of #1.

    One of the largest hurdles I think OpenID will have to overcome is educating new users. The typical user is not likely to (a) delegate to their own domain, (b) associate multiple OpenIDs with each account they create.

    (To clarify, Zooomr doesn’t force users to use MyOpenID. That’s just the provider I chose when the site told me I needed an OpenID. Zooomr does not, however, have a mechanism for associating multiple OpenIDs like Jyte and Ma.gnolia.)

  5. Should you select the right colours and also trims you can instantaneously enhance and update the look off any kind of place at home. Condominiums, apartments, and custom-designed homes are typical in a position to attain style and also basic type along with just an addition of some well decided on top molding. After you have accomplished installing the actual custom millwork then you can finish it using new furnishings, floor coverings and also color. These kind of basic steps can change your own home from boring to beautiful before your eyes.http://www.ptdoors.co.il

Leave a Reply