Google To Announce Major Identity Initiative for 1 Million+ Companies and Schools
Google plans to announce in coming weeks that it is turning each of the one million plus Google Apps customer domains into an OpenID provider, enabling millions of people to log in to OpenID-supporting websites with their work, school or organization ID.
"For these organizations," Google Security Product Manager, Eric Sachs, wrote on the public OpenID Board mailing list this morning, "Google Apps can now become an identity and data hub for multiple SaaS providers." Sachs appeared to believe his email was not being posted to a public board; he asked that it not be circulated so that some unusual technical work could be completed and political support shored up in the face of likely community and press cynicism. There's good reason for that - it may not be the good news it seems to be.
But First, A Word from OpenID's New Sponsor
OpenID is important not just because it makes logging in to sites around the web easy, with one username and a secure password, but because it's a way for people or organizations to maintain control over their own identities and data. There are no policy changes you don't approve of when you're in control.
Google's Sachs explained in his email that in order to pull this all off, OpenID relying parties will need to be redirected from the domain provided at user login over to Google's OpenID service. In order for this redirect to happen, all relying parties will need to start looking for a new OpenID extension that Google has developed and implemented in conjunction with one relying party technology, JanRain's RPX.
"There is the potential for some community members (or press) to assume (or at least imply in articles) some evil intent by Google to co-opt OpenID with these extensions," Sachs wrote today. "It would be nice to have a blog post on the formal OpenID blog that was supportive of our approach, so I wanted to see if the board members are comfortable with that."
Watching to see if the nonprofit OpenID Foundation will speak out in support of Google's forcing the rest of the industry's hand with new code extensions that are required to recognize the users of one million Google Apps customer accounts will now be a spectator sport.
Getting the Job Done
On the other hand, if one were to put a group of well-intentioned people in a room and ask them to solve the sticky problem of asking millions of organizations to adopt OpenID provider infrastructure - that might not ever happen. Enter Google's largess and the "proposal" that federated identity for all these companies and schools can be outsourced to a centralized player, Google, and OpenID might get a big boost in adoption. Companies and schools using Google Apps will now only need to flip a switch in their Google Apps admin controls to turn on OpenID support, and Google will do all the heavy lifting.
Caveat Emptor
Presuming that all the sites that let you log in with OpenID decide to play nice and look for Google's redirect (to Google) then the idea of logging in to sites around the web with your favorite, secure account credentials (My Job, Powered By Google) could become far more common.
It might defeat the purpose of putting people in control over their own identities through distributed identity providers, because so many "OpenID" users would be coming back to Google, but the OpenID brand would no doubt benefit in the short term at least. And Google can do no evil, right?
In other words, this move by Google could kill the spirit of OpenID by drowning the letter of OpenID with support. We think we're logging in to websites with our work or school ID, and OpenID lovers think we're logging in with OpenID, but we're actually logging in with a Google-controlled ID. All the heavy lifting would be done, Google would take care of the data storage and probably offer some neat value-added features. All the companies involved would have to do is hand online identity provisioning over to the company that they have already purchased email, calendaring and document sharing from. ("They who can give up essential liberty to obtain a little temporary safety," Ben Franklin once wrote, "deserve neither liberty nor safety.")
At least it's not Facebook!
So goes the wrestling of titans, on the very playing field created by champions of the free and independent little guy.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
I think that these issues of identity are so crucial for the future of the web. There is definitely a massive battle for the right to provide credentials going on, and you've done a good job covering the different facets.
One question I have is where are the ISP's in this game now? You'd think they would have one of the best claims to validate user identity over the likes of Google or Facebook.
What are the implications of this?
Posted by: Jason Miller
|
July 8, 2009 6:14 PM
Hey Marshall,
As to the new discovery extension which Google was talking about, changing how discovery works in both OpenID and OAuth has been a fairly public conversation over the past six to nine months. That work started as an evolution of OpenID 2.0's current XRDS based discovery into XRDS-Simple and since then into XRD, site-meta and the HTTP-Link element. This work is occurring through a combination of OASIS, the IETF and W3C and was/is largely being coordinated by Eran Hammer-Lahav.
As a member of the OpenID community and one of the specification authors, I've been waiting to see where this work ends up before making a decision as to if I believe that OpenID the technology should move to supporting it. There's general agreement that service discovery on the web for protocols like OpenID, OAuth, Portable Contacts and Activity Streams needs to evolve, though I haven't yet seen a fully baked technical proposal on how to change it.
--David
So much "G news" lately ( Google voice, Chrome OS, now multiple million OpenID providers and consumers )...
...I keep getting that image of the Death Star blowing up at the end of Star Wars A New Hope.
Companies and schools using Google Apps will now only need to flip a switch in their Google Apps admin controls to turn on OpenID support, and Google will do all the heavy lifting.
David, thanks for your perspective and acronyms. Let's chat soon about what's going in the trenches, I'm an armchair pundit compared to you. That said, I hope that the redirect discovery discussed in this post is something that is an appropriate standard and gets related to that way. Right now it reads like, what was the quote from the Sachs email? "some evil intent by Google to co-opt OpenID with these extensions" Few people in this world are intentionally evil though, I believe, and I would not be shocked to find out that there are other things going on behind the scenes that make me change my perspective on this news.
Slowly and surely, Google is becoming the #1 brand in the world of IT. There has been a lot of G! news lately. And this is yet another one - each in a positive direction.
G! believes in people, and in mass. It is clear from their initiaitves and works.
-- Mark (Infrared Sauna)
Thanks for sharing - Let's see how this develops, if not properly communicated there could be a lot of bad press on this from Google cynics. :/
Posted by: James Kuypers
|
July 8, 2009 7:01 PM
It would seem that having Google drive the adoption of OpenID would allow for us non-Google OpenID users to finally have some sites to use our OpenIDs on. Which is a pretty clear win for me.
Jonathan, I can see how the short term self interest of you few thousand early adopter OpenID users would be well served by this - but think long term about the OpenID ecosystem being filled with company brands sharecropping for Google's control over data. That's another way to describe it, it seems to me.
Can we log in with #OpenID yet? ;)
Posted by: Rick Turoczy
|
July 8, 2009 7:46 PM
"We would appreciate this not being circulated beyond the board until it is public."
I'm just sayin'...
I think its interesting they would publish it to a publicly visible board and make this request.
Yes, Mark, I would assume it was a mistake. These are Google's plans though - what do you think of them?
I can see both sides. The hope for standardization based off OpenID's original idea, and the spin to innovate on a proven model.
For many, such as Jonathan, its a clear win. The end user often ignores the method of implementation, and appreciates the simplicity they gather from their activities.
From the back end, I can see the argument, or at least discussion.
Google operates Apps for your domain under a number of constraints.
i.e. They do not have a security certificate for the domain, so they cannot serve SSL/https traffic for the domain so they use their own domain for secure transports.
Premium offers an option to use your internal directory system, so not using the google accounts directly.
I am not sure I want to use openid under unencrypted protocols, I dont know exactly how it will work though but I am waiting for them to offer https for my 3 domains.
Andrew
That's one of the things we do around here, Mark, try to shine a light on interesting back end discussions for folks (like us) that spend most of our time looking at the front end of web apps.
I believe that the identity of these issues is so important for the future network. There certainly is a huge war in the right things to provide credentials, and you have done excellent work on different aspects involved.
Well keep up the great work. I have been reading RWW for a while and appreciate the insight.
hey! what's up? I was surfing the net and I found this website, so I would like to take the opportunity to leave a recommendation. Check http://www.ScanMessenger2.com and you will see that you could find free emoticons about music. You could download those and other funny emoticons for free. Check http://www.scanmessenger2.com/en/s/free-emoticons/ get the best free emoticons and have fun chating with your MSN Messenger friends!
xoxo!
I think this is a move by Google to get richer profile data on people so that they can effectively compete with Facebook...I would assume that all the interaction history would end up on Google Profiles and will be used for fine tuning the ad targeting.
I really think this a way for Google to use OpenID to enhance Google connect and to thwart gains by facebook connect.
Will it work? I am not sure...The security and the usability issues that have long plagued OpenID will determine that... Now if I was a betting man, I would take the wager on this not working out too well for Google.
-jitendra
This is great news! We support OpenID logins through JanRain's RPX on our site and look forward to Google Apps users getting easier access to our sales leads network.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
It's interesting to note how easy it is to use FB connect.
Hope whatever Google embraces and extends at least equals that experience.
y r they doin that
http://tinyurl.com/nhlhe5
Curious that you caught this Marshall. Eric intended to send this to the private board mailing list, but obviously made a mistake.
I don't think that it really puts Eric or Google in a bad light — and his concerns are justified — given his desire to tie Google's particular implementation of OpenID to a yet-to-be-baked discovery protocol.
To echo what David said — we've needed a conclusive way to do what Google needs to do for some time, so if their action forces XRD to completion, that would be a good thing.
It's important to note that whatever technology solution Google ultimately adopts, it'll most likely be available for ANYONE to implement — and is therefore not a bad thing in and of itself. The only problem is that when a Goliath shifts its weight behind something, it invariably creates a kind of finality — that whatever they adopt becomes the de facto standard. Since they have a certain/specific kind of use case in mind, if the discovery format benefits their approach and is not generic or general enough to benefit other actors in the space, it could ultimately inhibit the adoption of the underlying technology or protocol (in this case OpenID).
Given Eric's framing of this discussion, I'm hopeful that we've made enough progress on the discovery protocol so that that kind of problem does not manifest.
Posted by: factoryjoe.com
|
July 11, 2009 3:14 PM
I like to keep in mind that Google's main objective is to give their customers (i.e. us, the SE users and websurfers) the best possible user experience possible. That's it in a nutshell. I think big changes like these are what makes them the giant they are. They continue to do their main objective very well IMO.
Mac Zuiderduin
Far Infrared Saunas