OpenID Dogfight23 Sep 2007
For a while I've got the impression that I was the only one that can see problems in OpenID. And I'm happy that it is not true. I just was out of the blogsphere for too long. In last days I've tried to catch up on the recent (approx. last year) blog posts ...
Stefan Brands post "The problem(s) with OpenID" lists a lot of problems of OpenID. It is a bit aggressive and it it looks to me that he is unnecessarily hard in some cases. He also provides marketing bits for Credentica inside the post, which I do not like. But generally I must agree with Stefan as I have the same feeling about OpenID security and privacy features.
David Recordon tries to respond in his "Stefan Chooses to Take the "Fox News" Approach to OpenID Blogging" post. He accuses Stefan of spreading FUD, but he does not provide much himself. David's post is written in the open-source marketing style which I happen to hate. I must agree that David has some points (e.g. referring to OpenID work in progress), but he does not have the solution or the answers to all Stefans concerns for the matter.
And then there is Kim Cameron. In his post titled "We need a spectrum" we tries to justify OpenID existence as a simple protocol for Internet SSO. I do agree that a trivial protocol is needed, at least for migration to some real solution. But it does not justify why it has to be OpenID in its current state.
My conclusion about OpenID is still the same. OpenID design is broken. Fundamentally. That's the bad news. The even worse news is that it will probably gain acceptance anyway. Some market demand is there and if there will be no viable alternatives (at "almost free" price level), OpenID can succeed. But it will be marketing success, not a technical one. We have seen that happen too many times in history (with Microsoft being the most obvious example).
But there is a good news as well. I think that OpenID can be fixed to provide simple (but sufficiently reliable) SSO system for low-value applications. But it will require substantial work (read: "complete re-work"). My recommendation for OpenID guys is to stop marketing nonsense and go back to drawing boards.
I quite wonder when Estonians will try to use OpenID for e-government. However foolish it may be, I think that they will try. They do this kind of things.