Portland, Oregon's JanRain, leaders in the OpenID movement, put on a PR push this week to promote what they say is the imminent approval of OpenID 2.0's final draft. Specifically, they say that they expect the final signatures to be penned on Monday at the upcoming Internet Identity Workshop.
General consensus is that it's the finalization of 2.0 that many big players have been waiting on. Remember when Digg said they would support OpenID, for example? In theory, this is what they and many others are waiting on.
Here's how I explain OpenID. Once you register an OpenID with any of a number of vendors (like JanRain's MyOpenID.com) then you can login with it anywhere that supports OpenID login. You can also use your existing accounts from a growing number of services as an OpenID login, like AIM, Bloglines, WordPress, etc.
What's the value for the user?
Those are some of the high level benefits, I believe. I'm excited about OpenID, I want it to proliferate and any time I find a new service that supports it - I am happy. For more detailed and informed enthusiasm, check out Sean Ammirati's post here on Read/WriteWeb yesterday. If you're interested in core critiques of OpenID, check out Wendy Boswell's excellent post on the subject at Lifehacker.
After a long, long time of political infighting over either semi-relevant minutea or deal-breaking technical details (depending on your perspective) it sounds like the 2.0 spec is finally here. It's stronger, smarter and better looking. Allen Stern has done a good job spelling out the improvements that JanRain says are in 2.0.
I'm here to bring the bad news, though. It's not a pretty picture but I hope I'm wrong and everything turns out great. That said...
Google's release last night of OpenID login support for commenting in the experimental verison of Blogger is...an interesting start. It's great news that they accept inbound OpenID (you can login to leave a comment with your AIM username), that they make using it relatively clear with a drop down menu of options and that they are doing it at all. But could there have been a more marginal use case than commenting in this version of Blogger?
Meanwhile everyone else among the big players is offering to authenticate their users elsewhere, at most. Big deal. AOL, who made this move first, is great for headlines but how much have they actually done to get the millions of people with AIM usernames to know about and use OpenID? Darned near nothing.
I asked JanRain who was going to be announcing support for OpenID with them on Monday and who among the big players was going to support inbound OpenID - the truth is, they don't have anything. I asked what the biggest site I could login to with my AIM username was and you know what they said? Plaxo and Zooomr. Cool, I love Zooomr.
Growth in general seems down, in fact. In a good presentation on the topic in February of this year, now former JanRain CEO Scott Kveton cited a 7% weekly growth in websites adopting OpenID. JanRain now claims a 5% weekly growth rate. Something exciting needs to happen to get more players on board, big and small. Hopefully 2.0 will be that exciting event.
One of the important new directions for OpenID 2.0 is what's called Attribute Exchange. It's a means of passing more than just an authenticated username on to sites where you login with your OpenID. Engagement with Attribute Exchange is not a big part of the 2.0 marketing push, though. JanRain is not talking to vendors about it and it's unclear when if ever anyone will implement it. They are focusing on the single sign on factor only.
Why would a big vendor want an inferior user profile without any info but a user name? In theory, those profiles are better than no profiles at all - but that's not a realistic position for OpenID advocates to approach big vendors.
While Facebook is busy shooting my Yelp and Overstock.com actions over to my profile page newsfeed, and then reversing position again after a huge PR event/backlash, what's JanRain doing about user control over data? They don't want to talk about it yet. Well, those conversations are happening - everyone else is engaging with relevant issues beyond mere single single sign-on.
Do you use your OpenID login to leave blog comments around the web? I do sometimes, but I cringe when I think about people clicking through to my OpenID user page. There's almost nothing there about me. It's nearly a dead end. I want people to come here or to my personal blog. In a time when lifestreaming apps aggregating all my data from across every place I act online are becoming a dime a dozen - why aren't OpenID vendors doing something to spice up my profile page?
This is more than just cosmetic. Let me display data in my profile and let me chose to share it with some of the places I login to with OpenID.
I've seen the forthcoming "personalized profile pages" for MyOpenID and they are hardly a sneeze more rich than the existing profiles. It's really disappointing. I'd rather use MyBlogLog, let Yahoo! data-mine my life online and horde all the data for themselves - at least I've got a functional profile page with them. ClaimID appears much better about this than MyOpenID.
These are huge problems and I think everyone knows it. OpenID is too hard to add to your site, it's too unfriendly to login to as a user and while messaging is improving - thank goodness - for a world-changing phenomenon whose advocates say it's a no-miss sure-win, it sure does lack a message with zing. Single sign-on is ok, but isn't a good poem one that communicates both simple and complex meaning in the same words?
I asked JanRain about this and you know what they said? They said that's what the OpenID Foundation is for. The provider of the code libraries used by 90% of the OpenID relying parties on the web said that ease of use and communication with users is someone else's problem. The OpenID Foundation, bless their hearts, is a group with no web page of its own (look at this awful URL), leadership that's busy with their day jobs and a claim on its page that it's "currently working on creating a funding and sustainability model for the organization."
No one here has any money. JanRain is in fund raising mode and has been for a long time. They say their cash cow will be Pibb - a beautiful, full featured, OpenID-centric, souped-up chat/IRC type service. Now if you're Meebo, with heavyweight VCs making introductions for you, then maybe you're going to be able to monetize a chat platform. But if the organization leading the charge on OpenID is hanging its hopes of viability on monetizing a chat platform for which the primary use cases are BarCamp and Ron Paul fans - we're in trouble.
Next week is going to be important. I wish I was going to be at the Identity Workshop. I'm cheering for this stuff to fly. I want it to rock. I'm not holding my breath, though.
Listed below are links to blogs that reference this entry: The Troubles With OpenID 2.0.
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/1800
The open identity system OpenID 2.0 was announced today at the Internet Identity Workshop in Mountain View, after what Marshall Kirkpatrick recently described as "a long, long time of political infighting over either semi-relevant minutea or deal-break... Read More
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
You might want to browse this link as well. It's a good round-up of the problems with OpenID:
http://www.idcorner.org/?p=161
One piece of advice people never give: you should only use an OpenID url that you *OWN*. Otherwise you can never change providers and you could be completely locked out of some of your accounts.
Posted by: engtech | November 30, 2007 9:29 AMMarshall, this is really an awesome problem definition and very timely. OpenID usability is a big issue for us and I'm attending the event next week specifically to dig into this.
If you have a list of questions, I'm happy to bring them up.
Posted by: sameer | November 30, 2007 9:55 AMgreat point engtech
I would be all over leading the marketing for OpenID.
Posted by: allen stern | November 30, 2007 9:57 AMWhy would I want a single ID for everything I do online? It's already bad enough with Microsoft's Live ID that I can't have different IDs for different sites without it defaulting one site's login to the ID used for an unrelated site. Also, I would rather not have a single Google query return everything about me.
Posted by: Julan Gall | November 30, 2007 10:00 AMJulan, those are issues that OpenID providers acknowledge and JanRain at least (if they don't mind my talking about them ever again!) is looking to enable different usernames associated with the same login via their protocol. Who knows if and when, though.
Posted by: Marshall Kirkpatrick | November 30, 2007 10:05 AMWe can use our own URL and with any OpenID provider, therefore when some one clicks on my OpenID url, they may see my blog, my claimID page or anything else which I want to put there. Yes it is true that there is no consistency in features that different OpenID service providers support. I like ClaimID as my OpenID service provider, because on ClaimID I put links to all my profiles on Internet, ClaimID also lets user to put much more information on their profile pages.
Posted by: Gaurav Kanoongo | November 30, 2007 10:07 AMThe solution to the feed problems is actually quite straightfoward at a high level. As per usual, the technical details will need to be figured out. Essentially: COMBINE OpenID with OpenSocial and Facebook Beacon.
I sign up to a site my social network provided ID (omar.ismail.facebook.com or omar.ismail.plaxo.com) and when I perform actions on a site, the site can publish those actions to my openid using a standard protocol. So when somebody starts a report on ProductWiki the software can just make a post request to omar.ismail.facebook.com with the standard fields filled in, and it all gets handled by Facebook's feed system. Or an OpenSocial feed system.
Once OpenSocial and OpenID combine, then you'll have a true distributed ID system that is very useful. The other great side effect of this approach is that you also get network linking. So let's say my primary account is with MySpace, I can sign up to Ning with my myspace openid, and so everything I do on Ning, or my friends do actually shows up on my MySpace home feed. Which then gets published as an RSS which I can consume with Google Reader.
That's my ideal future. And all the pieces are there, we just need a next iteration to put them all together.
Posted by: Omar | November 30, 2007 10:13 AMOh, and i just wanted to add, that using delegates you can make a lifestream service act as a middleman to your OpenID provider like MyOpenID. So your name would link to your blog, or lifestream or whatever, but the real authentication happens with myopenid. That's one of the benefits of OpenID.
Posted by: Omar | November 30, 2007 10:15 AMI think all the points you raise, while valid, aren't as much a technical criticism of OpenID 2.0 itself but of the implementation of OpenID around the Tubes.
In summation, I get from your post that (1) the Big Boys are too slow to support accepting OpenIDs, (2) No one is using the very useful Attribute Exchange, (3) OpenID URLs, when visited via a web browser, are lame, and (4) JanRain isn't doing a good enough job evangelizing. Shouldn't this post then be titled "The Troubles with OpenID adoption"?
I'm not sure we should be blaming one small company (JanRain) for stagnant growth of OpenID over 2007. OpenID is of course open, nobody owns it, and so the entire OpenID community should work to see it succeed.
Posted by: Luigi Montanez | November 30, 2007 10:16 AMLuigi, that's a great comment. Thanks.
Posted by: Marshall Kirkpatrick | November 30, 2007 10:21 AMPerhaps I'm skeptical to a fault, but I think we're going to have to tolerate quite a few more tweaks and adjustments to OpenID before it's accepted enough to be generally considered universal. It will take another Jobs-Gates summit or Google/Facebook/MySpace/Yahoo joint agreement or everyone is going to point fingers at flaws to differentiate their safety/security/service.
What we need here is the Web 2.0 version of Jimmy Carter.
Posted by: Jason Falls | November 30, 2007 10:30 AMI logged on to Zooomr.com through a LiveJournal account authenticated OpenID. When I tried to match it with my other accounts, I couldn't. I must be doing something wrong but I'm suspecting that OpenId is not as intuitive as I thought it was.
Posted by: The Pageman | November 30, 2007 11:39 AMMy OpenId /is/ my homepage -- it's called delegation.
Posted by: Stephen Paul Weber | November 30, 2007 1:10 PMThanks for the plug Marshall. Simon Willison has a nice writeup on how to delegate your OpenID url over to your blog URL
http://simonwillison.net/2006/Dec/19/openid/
Posted by: Ian Kennedy | November 30, 2007 3:28 PMI have to agree with you on a lot of this.
As a "geek," when I heard about OpenID, I was really excited about it...but it's stagnated. I use my own site as my OpenID (delegated to ClaimID), but it hasnt proven useful beyond blog comments yet -- which is also another problem with it. It really doesnt make sense for most people to use your LiveJournal or AIM screen name as your identity across the Internet -- and most people don't have blogs or other sites that they can delegate from.
Can you even imagine explaining OpenID to your luddite friends? Without some massive marketing, I don't seen OpenID going beyond the 20% (a liberal estimate) of the public that's tech-inclined.
Posted by: Ravi | November 30, 2007 5:34 PMReally good article and some inspiring comments. I notice that several of the people commenting are talking about (without necessarily being readily aware of) the issues with "usability" you mentioned surrounding OpenID, i.e. being simply unaware that they can delegate their OpenID so they don't have to use the OpenID URL provided by AOL/LiveJournal/Provider-X.
I honestly have thought for years how really awesome it would be to have a really good (or even decent) single sign-on system for numerous websites -- after all, porn sites have had consolidated age verification systems from pretty near day-1, so what was the hold-up with single sign-on?
(Even though I personally didn't want to use any that might be provided by Microsoft, less because of Microsoft than because I know how many hundreds of Microsoft-hating technophiles are constantly on the prowl for the next major security vulnerability they can exploit. IMO better to use "store-brand" service in exchange for a product that isn't under a constant "seek and destroy" microscope.)
I'm actually really glad to see that there is a good start on a standard and honestly there are a lot of great ideas in it that I hadn't antiscipated... and yet... there's that usability issue that always crops up and is always a barrier to adoption. In my case I'm a tad disheartened that the OpenID "username" being promoted (required?) is an http url. And I say this as a professional computer programmer myself -- even if the standard allows them to be http urls, if I'm being honest, it seems like they should be both allowed and encouraged to be something easier for the average person to remember and use.
One albeit crude example is a .name email address, like billy.joe@jackson.name. Imo it's still less than ideal partly because of the whole spam issue, but certainly easier to remember and more intuitive for the average "joe" than "http://www.ebay.com/ladiesman217". I'm not saying "use email addresses" (probably too late to make the suggestion anyway), but imo there needs to be some push to simplify the "simplified" single sign-on system for not only the implementers but the consumers also in order to improve adoption.
And on a totally unrelated point, after reading and thoroughly enjoying this article and the comments, I can't help but post this url which explains how I might have enjoyed this article even more: http://snapsucks.org/.
Posted by: ike | November 30, 2007 8:17 PMSo is there any more disputes about who is trespassing who on the use of R-Object's OpenID trademark?
And myopenid.com and openid.net are in agreement now? etc..
Posted by: 113.com | December 1, 2007 12:07 AMAs several people have mentioned by now, you can use OpenID delegation (http://wiki.openid.net/Delegation) to use your personal site as your OpenID.
It works without a hitch. I've been doing it for months now.
The added advantage is that you can change your OpenID provider easily. No provider lock-in.
Posted by: Wim Leers | December 1, 2007 11:57 AMSo why can't I use OpenID to comment here? If this is based on WordPress you can install WP-OpenID:
Posted by: b√∏rge | December 1, 2007 7:13 PMhttp://wordpress.org/extend/plugins/openid/
Geez Marshall, a little advice ... never blog angry ... :-)
I'm not sure exactly what this post is about. Are you frustrated with OpenID or JanRain? JanRain is but one company in a large eco-system trying to push for OpenID adoption. In any case, there are a few clarifications I'd like to make:
* OpenID is only just 3 years old as of this month. This stuff takes time and something as big as an identity metasystem is absolutely ginormous when you consider it breaks one of the underpinnings of how people will describe usage of their sites; number of user registrations.
* I liken the adoption of OpenID to that of RSS ... users don't know/care what RSS is but just about every single user in the world now uses RSS on a regular basis. The same thing will happen to OpenID. Users don't care about technology or the underlying acronyms, they just want it to work.
* The OpenID Foundation site is at http://openid.net/foundation ... I'll make a reference on the wiki from the page you mention above.
* The OpenID Foundation has been working tirelessly over the last few months (just take a look at the board list postings) on developing an IPR policy (this is actually really hard), spinning up the non-profit and creating a membership program (which helps with the sustainability part). Honestly, I wish I could be spending more of my time on evangelism too, but we have a commitment to keep with the OpenID community to make sure this technology is in good hands.
* The OpenID trademark is currently owned by R-Objects, Inc. which is a company owned by Johannes Ersnt, an OpenID Foundation board member. He has stated publicly several times that he will transfer the trademark to the OpenID Founation after it is fully formed and a policy has been built out.
* Take it easy on JanRain, they are a good team of folks and the best is yet to come outta those guys (of course I'm biased because I used to be there) ... :-)
I *think* that's about it ... :-)
I will head into the realm of pure speculation though. I believe that OpenID is just a technology. Technology for the sake of technology never works. I'll come back to the example of RSS again. RSS by itself is pretty lame. But when you build something like Feedburner with it, it gets pretty interesting. The same thing will happen with OpenID. As Tim O'Reilly said, "its the data stupid", the same will be true here. Some application that uses OpenID to empower users to either control, better manage or share their data will be the real winner here.
Posted by: Scott Kveton | December 2, 2007 4:58 AMI'd love for someone to build a single unified service out of all these open standards, a kind of people's facebook.
Posted by: Charlie | December 2, 2007 5:17 PMwhat about the back door? can someone, say our favorite government, find out everything i have said or done on the web byt just making friends with an open id vendor? seems a total scam to me, part of the collecting data for more targeted ads, at best, and total loss of privacy at worst... what am i missing?
Posted by: gregory | December 3, 2007 7:03 AMTotal agreement. There's a very interesting company solving a lot of these exact problems though which we're planning to use next year - Clickpass. Definitely worth looking at.
Posted by: Walid Al Saqqaf | December 3, 2007 9:04 AMGreat article. It's awesome to keep the fires burning on the OpenID front. Also good advice for those implementing OpenID.
You're absolutely right about the "zing" that's need for it to catch on. Single sign-on doesn't register with most consumers because consumers just use the same ID and password for the "less secure" sites.
Posted by: Eric Engleman | December 3, 2007 4:44 PMPhilosophically, I have been having a few problems with the OpenID approach for some time. It seems to be on the right path but not going quite enough for me. Frankly, I think the incorporation of XRIs is a GOOD thing. Sure there are issues to work out but the OpenID approach does not excite me that much.
I wrote what I think of an Internet Identity and how it should work here http://rajeev.name/blog/2007/12/08/openid-20-is-final-what-does-it-really-mean/. Love to hear your thoughts on it.
Posted by: Rajeev Karamchedu | December 8, 2007 7:18 AM