Trust (using the word here in a broad, abstract way) has been one of the strongest reason for the OpenID adoption. The spec does not require for OPs and RPs to get together and discuss key exchange, business value, liability issues, attribute data and so forth. OPs and RPs work independently of each other and as long as they adhere to the core specification, things just work.
Trust has also been one of most critiqued area of OpenID. As an RP, why should I outsource my user authentication to someone I have never even interacted. Call me crazy but I don’t feel like accepting users from Iwillstealyourusers.com. There have been suggestions that it should be acceptable for the low-value transactions. But then, there is no definition of a low value transaction. And
beauty value lies in the eyes of the beholder.
All that led to the discussion of OpenID whitelist. One might argue that it’s against the spirit of OpenID. Anyone should be allowed to run an OP without contacting all the RPs to be added to their whitelist. On the other hand, it gives a cozy feeling to the RPs to only have a handful of trusted OPs (which by the way there is no way to determine; but that’s a topic for some other day).
One of the ways the concept of whitelist can manifest itself is for OPs to provide an ‘OP Button’ for the RPs. Yahoo did exactly that couple of months ago. It’s good for the users since they don’t have to remember their OpenID URL and the user experience is much better. Most of the RPs (at least the current crop) won’t mind accepting users from Yahoo. I figured sooner or later, Google and Microsoft will join the OP list (along with AOL), have their own set of buttons that RPs will happily accept;practicality will take over; the OpenID identifier as we know today will go under the covers; the small OPs will cease to exist. We’ll all wait for a couple of years and then start over.
Except…ClickPass launched last week with it’s own button. There are still some discussions on the what and the why of ClickPass. But beyond that, it does paint the picture of what the future RPs might look like – a Nascar billboard (with buttons and branding from every OP)…or something like this building.
This is where the discussions get into discovery, which is a really hard issue to address.
- This is how social news sites address this:
- This is how RSS Readers address this:
- This is how SAML address this : Okay…let’s not go there
The common pattern – a Nascar billboard.
So… David and I spent some time talking about this. This is still a ‘thought in process’ but I wanted to write it down before I get heads down into the RSA preparations.
- The user shouldn’t need to type the OpenID identifier.
- There should be one OpenID button. Not two. Not three.
- The RPs shouldn’t need to host the Nascar billboard (and hence add an icon every time a new OP comes on board).
- The user should be in control of his identifier and who to share it with.
IMHO, this is how it should work from a user’s perspective:
- I signup with any OP of my choice. Or setup my own OP.
- I enter my identifier once. On a client side component. Either a browser extension/plugin or a desktop client.
- I visit the RP and click on the single OP button. It invokes the client component and verifies if I want to share my idenifier.
- On clicking okay, it redirects me to the OP and rest of the OpenID flow resumes.
- If I don’t have the extension or haven’t picked an OP yet, it redirects me to a central (OIDF/Community hosted) Nascar page.
- The central Nascar page should host the OPs logos/buttons. It should allow me to pick my OP and redirect me back to the RP.
- Additionally, the central Nascar page should allow me to signup with a listed OP (redirect);add the selected OP to my client component; And allow me to enter my own OP(text field).
- No registration should be required by the Nascar page.
- What should be done to be listed on the Nascar page? – Well..that’s where some of the existing work that’s being done by SpreadOpenID, OpenIDDirectory and Nat comes into play.
As I write this, I do notice the similarities with the CardSpace flow. Ergo…it will be interesting if MS (now member of OIDF) adopts OpenID in the client.