OpenID Whitelist

AOL announced yesterday that they are going to start accepting 3rd party OpenID logins. This is a great milestone since I believe this is the first big RP to do so. However, they also adopted the concept of ‘OpenID Whitelist’ which brings up a couple of interesting questions:

  • Is this the right thing to do? OpenID strength lies in it’s ‘distributed nature’ and the ability for the user to control his own identity. Only allowing ‘selected providers’ negates that. I personally believe that “if OpenID has to move up the value chain then ‘whitelisting’ is inevitable”. However, I mentioned this in a barcamp a few months ago and most of the participants disagreed. They thought it’s against the spirit. The ability to run their own OP is why they like it more than the other identity systems. At the end of the day, it has to be the RP’s decision. AOL approach, however, might set a precedent for other RPs .
  • The second issue is a follow up on the first one – ‘As an RP, how do you decide which OP to add to your whitelist?’

As it turns out, is not in their initial list. I talked to the AOL folks and they promised to add it during their update next week. Fair enough. However, this model isn’t scalable. Given the distributed nature of the protocol, it doesn’t seem right for IdP/OPs and RPs to individually contact each other to maintain this list. Isn’t there a need for an OP Reputation, a.k.a. qualification, a.k.a certification suite that the RPs can leverage? There can be some objective analysis for the OPs:

  • How long have you been in existence?
  • What form of authentication do you support?
  • Do you support https?
  • What’s your account recovery process?
  • What’s your privacy policy?
  • How do you handle spamming?
  • Do you support Attribute exchange?
  • Do you support PAPE?
  • What’s your registration process?
  • Are you OpenID compliant (wait…that’s another big topic)?
  • Do you charge your users?
  • Do you have a cool logo?

So far the adoption for OpenID has been driven by the IdPs/OPs (it’s pretty apparent by the imbalance in the number of OPs and RPs). However, I believe the OP Reputation suite has to be driven by the RPs. They are closer to the problem and have a real need to filter out the unreliable OPs. I hate to volunteer others (well..not really ?), but it will be great if the AOL folks can take this initiative.

4 Responses to “OpenID Whitelist”

  1. [...] will support OpenID, but only from a select White List of providers. Ashish Jain has his thoughts here and relates his experiences trying to get added as a [...]

  2. [...] the original post here: OpenID Whitelist Identity [...]

  3. [...] is a conventional family. It’s not like we are asking for exclusivity but at least some kind of white list will be [...]

  4. [...] that led to the discussion of OpenID whitelist. One might argue that it’s against the spirit of OpenID. Anyone should be allowed to run an [...]

Leave a Reply

Image | WordPress Themes