AOL announced yesterday that they are going to start accepting 3rd party OpenID logins. This is a great milestone since I believe this is the first big RP to do so. However, they also adopted the concept of ‘OpenID Whitelist’ which brings up a couple of interesting questions:
- Is this the right thing to do? OpenID strength lies in it’s ‘distributed nature’ and the ability for the user to control his own identity. Only allowing ‘selected providers’ negates that. I personally believe that “if OpenID has to move up the value chain then ‘whitelisting’ is inevitable”. However, I mentioned this in a barcamp a few months ago and most of the participants disagreed. They thought it’s against the spirit. The ability to run their own OP is why they like it more than the other identity systems. At the end of the day, it has to be the RP’s decision. AOL approach, however, might set a precedent for other RPs .
- The second issue is a follow up on the first one – ‘As an RP, how do you decide which OP to add to your whitelist?’
As it turns out, SignOn.com is not in their initial list. I talked to the AOL folks and they promised to add it during their update next week. Fair enough. However, this model isn’t scalable. Given the distributed nature of the protocol, it doesn’t seem right for IdP/OPs and RPs to individually contact each other to maintain this list. Isn’t there a need for an OP Reputation, a.k.a. qualification, a.k.a certification suite that the RPs can leverage? There can be some objective analysis for the OPs:
- How long have you been in existence?
- What form of authentication do you support?
- Do you support https?
- What’s your account recovery process?
- How do you handle spamming?
- Do you support Attribute exchange?
- Do you support PAPE?
- What’s your registration process?
- Are you OpenID compliant (wait…that’s another big topic)?
- Do you charge your users?
- Do you have a cool logo?
So far the adoption for OpenID has been driven by the IdPs/OPs (it’s pretty apparent by the imbalance in the number of OPs and RPs). However, I believe the OP Reputation suite has to be driven by the RPs. They are closer to the problem and have a real need to filter out the unreliable OPs. I hate to volunteer others (well..not really ?), but it will be great if the AOL folks can take this initiative.