Just about everybody seem to be complaining that there aren’t enough sites where one use those hundreds of millions of OpenIDs. (Known as "relying parties" in the jargon.) And there is no denying, it’s a lot easier these days to get an OpenID than to use it.

There are conflicting views on how many OpenID relying parties there are. Our friends at JanRain post that there are about 18,000 by now, which would be respectable. The OpenID Directory knows only of 634. Yahoo!’s OpenID gallery is almost empty, although very clearly underpopulated. But regardless what the numbers may be, personal experience (certainly true for me) shows that one comes across an OpenID login box on the web far too rarely.

So what’s going on here? Should we worry?

First, let me be clear that if the situation continues the way it is now, OpenID is rather useless. Imagine hundreds of millions of keys, but no locks. Razors but no blades. Credit cards but no merchants taking them. Clearly not something that works. (Yes, Jeff, I agree.)

But there is a Big But: it’s NOT the ratio between available identities and relying parties today that matters to OpenID’s success, but whether the ratio will continue to be the same going forward. I am writing this to convince you that it will not.

The big fallacy by those declaring OpenID to be useless for all eternity is that they predict future market adoption by extrapolating linearly from the current numbers in what is still a very early market. But that’s wrong: new-technology markets aren’t linear, they never have been and they won’t be for OpenID either. So whatever conclusion you personally believe, make sure you don’t arrive at it from linear extrapolation.

The essence of my argument is that OpenID adoption occurs in two totally different customer segments: those adopting it for the purposes of being an OpenID provider, and those adopting it as relying party. (There are additional segments, such as vendors, that are irrelevant for this discussion.)

In my view, identity providers and relying parties are different customer segments in every standard sense of the term: they adopt the technology for different reasons, identity provider and relying party adopters do not reference each other, their value proposition is different, the solution components are different etc. etc. (So far, no surprises here, I’m stating the obvious if you are applying standard strategic marketing thinking.)

But this means that the timing of adoption by one customer segment is almost completely unrelated to the timing of adoption by the other customer segment. So we should not be surprised that adoption in one segment (identity providers) has occurred at a different point in time — earlier, and faster — than in the other. (Again, I refer to Crossing the Chasm.)

So why have identity providers been first, by some margin? A number of reasons:

• The cost and risk of becoming an identity provider is far lower than the cost and risk of becoming a relying party. As an identity provider, all you have to do is to add some code to your existing user authentication system, set up a new site (like openid.aol.com or openid.yahoo.com), and at a minimum, you get all the marketing and thought leadership benefits of being an OpenID provider.

  Things are much more complicated for a relying party: first, you need to decide which identities and which identity providers to trust. (If you get that wrong, your site is likely going to get defrauded and you get fired!) Also, it’s not a new site that you are setting up as a relying party, but you have to change your existing website, which is far more complicated because you constantly worry that you impact your existing business.

• The benefits for OpenID providers are strategic (and thus they can spend some "corporate play money") while the benefits for OpenID relying parties are operational (part of the regular risk-averse financial planning process with the CFO).

  If you’ve ever moved from a "new projects" department into a core business department in a company and banged your head against the wall about how hard it was to get anything innovative funded, you will understand immediately what I mean: potential relying parties have to win the argument against a conversative business case that is highly risk-averse, while potential identity providers only need to get (less) high-risk money. Based on that, it’s surprising that today we have any relying parties at all!

Given this (predicable) situation of potential relying parties, what’s really surprising here is not that relying party adoption lags, but that we have so much adoption by identity providers today: after all, anybody who does the analysis will realize that it will be difficult for a long time to sign up relying parties, and thus it is difficult to argue that one’s company should become an identity provider before enough relying parties are available.

This means: OpenID should suffer from a chicken-and-egg problem: relying parties won’t deploy because of a lack of identity providers, and identity providers won’t deploy because of a lack of relying parties. But it does not! That’s the really interesting thing, and the wonderful thing about the way OpenID adoption has progressed.

So. When will relying parties adopt en-masse?

Well, I admit that I don’t know. I don’t think anybody else knows either. It might still a couple of years out. (Yep, I don’t like that either.) Certainly, until very recently OpenID was not adoptable from a business perspective as a relying party due to a lack of identity provider customer share. That argument of course becomes less relevant every time another major identity provider springs up.

What I do know is that the time lag in adoption by relying parties is not only not surprising, but absolutely necessary for the above reasons. So let’s not complain about it. Instead, let’s ask "now that there is so much adoption of OpenID by identity providers, what needs to happen so that relying parties can also adopt it?" (Some of my items are listed here.)

Going into 2009, this should be the question at the top of everybody’s mind. Even MySpace’s: what good does it to them to be an OpenID identity provider if there aren’t enough relying parties? So the other good news is: one more substantial party that is incentivized to help us figure it out — and the Facebook Connect announcement might just be the jolt that is needed.

If you read some blog posts this past week — in which MySpace adopted OpenID, "bringing the total number of enabled accounts to half a billion" (Techcrunch), Orange’s portal in France became one of the largest acceptors of OpenIDs ever, and Facebook fully validated the OpenID proposition — one could get the impression that all of this is nothing but bad news for OpenID and it is about to die.

Say what?

Here are some example posts:

• Commenting on MySpace’s adoption, Nishant Kaushik (Oracle) writes: OpenID’s problems don’t seem to end.
• Jeff Bohren (ex-BMC) writes: You can’t build a highway with nothing but on ramps.
• And most bewilderingly, Dick Hardt (Sxip), who is (was?) known as one of the main cheerleaders for internet identity and OpenID, writes: Facebook Connect - fatal blow for OpenID?

I don’t even know where to start. But perhaps it’s very simple: Any technology that had its top-three adoptions ever in the past 6 months (Yahoo and Myspace as providers, Orange as acceptor), two of which happened last week, is doing very well, thank you.

How could anybody possibly think otherwise?

Having said that, I think it’s not a bad idea to respond to the various points that are being made as I understand them. To make this easier, I’ll paraphrase and summarize:

• Argument 1: "OpenID will never come to anything, as half a billion of available identities means nothing if there aren’t similarly many places where one can use those identities." This is known as the relying party adoption problem, compounded by extrapolating past trends linearly — which is of course not the way markets work. My response.
• Argument 2: "Unless I can have one single identity that works for the entire web, OpenID has no value proposition and nobody will ever use it." I call it the OpenID-all-or-nothing argument.
• Argument 3: "If OpenID does not break down walled gardens, and so far it has not, it’s useless." I call it the OpenID-matters-only-as-a-political-tool fallacy.
• Argument 4: "Facebook is going to win the internet identity war with a proprietary approach, there is nothing anybody will or can do about it, and OpenID (and by implication, all other identity technologies) are going to be irrelevant." One could call this the Passport 2.0 argument.

Of those, I consider last one to be the by far most interesting argument, because it deals with the heart of why OpenID matters to businesses — which at the end of the day determine the success or failure of most technologies of this kind.

But all of these arguments deserve a response, and I will respond to them over the next few days. Stay tuned, there is only that much I can write in a day…

Ariel Gordon, in charge of everything identity at France Telecom / Orange, tells me that Orange.fr, their portal, is now OpenID-enabled.

This must be one of the largest OpenID Relying Parties so far. Congratulations, Ariel!

Since the beginning of the year, Marc Canter has been churning out a stream of amazing visionary pieces. Today’s installment finally went to far and I have to blog it.

If you want to understand how the internet will become personal over the next decade, you could do a lot worse than reading his articles in detail. I differ with him in some of the details, but I’m completely in sync with him on the basic outline.