Techcrunch: MySpace To Join OpenID, Bringing Total Enabled Accounts to Over A Half Billion.

While OpenID 2.0 has certainly been a big step forward, it's clear that much technical work remains to be done to make OpenID as useful and as broadly applicable as possible. (And don't get me started on how much marketing work needs to be done...)

Here's my list of what I'd like to see us in the OpenID community work on from now through 2009. We don't need to do all of it at once of course. I'm blogging this so I can get some feedback ...

Note: I do not know how to solve all of them, but then, that's what we have the brainy OpenID community for ;-)

• Sessions. If I'm authenticated at 1 OP and 5 RPs, all 6 of them are attempting to figure out independently from each other whether or not I'm still at my PC, and when they should expire their session cookies and challenge me again. It would be more user-friendly, and more secure, if they could somehow figure this out together. For example, RP 3 should be able to ask the OP "My user has not done anything in his session in the last 15 minutes, any indication that he's still at this PC?" and the OP should be able to answer "He's been continually using RP 5, with less than 10 seconds between page views ever since, so you can keep your session open." Perhaps single-sign-out also falls into this category.
• OP-initiated SSO. In LID, it's very easy to put a HREF together that, when clicked on, sends the user's browser to a site and authenticates them, zero user input and zero redirects required. In OpenID Authentication 1 and 2, that's much harder to do and might not work in the general case. Let's fix this: SSO-enabled bookmarks are really useful.
• Browser functionality. The Mozilla guys always wanted to hear from us in the OpenID community how to best add native OpenID support into the browser. What about we show them, preferably with working code?
• RP requests for particular credential types. A range of OPs now has more than one credential type they support, sometimes as multiple factors to be used together. It would be nice if not only the OP could tell the RP what credential type was used, but also let the RP ask the OP for a particular credential type. This is one of the use cases in the PAPE draft, so perhaps all we need to do is get it finished.
• Distributed QA. We need much better processes for letting our users tell us that the combination of OP X and RP Y somewhere on the net does not work on Tuesday. And then we need a process that makes sure X and Y fix it within our lifetimes. Even better, a real interop setup that runs once a night or something like that and tests "everybody" on the net who does OpenID.
• Yadis / XRDS-Simple harmonization. Why XRDS-Simple was never simply a revision 2 of the Yadis spec, I'll never understand. But regardless, going forward we need one document, not two.
• Something interesting with Attribute Exchange. I don't know what it would be, but there must be some interesting application scenarios? Right now we have this largely unused spec on our books. What do we need to do to make it used more/more useful?
• Security. We need to take a good look at whether we can turn some of the SHOULDs into MUSTs in the specs and thus get more secure.
• Non-repudiation. As the secret is symmetric in OpenID Authentication, OP and RP cannot prove to a third party whether the OP or the RP pretended that an authentication transaction took place (or not). It would be good if that could be unambiguously decided. For example, in LID, a time-stamped GPG-signed transaction can only have been created by the IdP, as only it has access to the private key. Can we have similar functionality for OpenID? This would raise the comfort level of commercial implementors as they could prove liability much more easily in court.
• Account recovery. If I create an account at some site S using OpenID X, but I later lose OpenID X (e.g. because I change jobs, because the provider went out of business, because I got kicked off the service, whatever), I can't access my account at site S any more. That's a non-starter and needs to be solved.
• Mobile user experience. Need I say more?
• Personal activity tracking. If I do 5 things at 5 different sites, but using the same OpenID, it should be possible for some piece of software to recognize that and give me some kind of aggregated view. (This use case is for me, as the owner of the identity, but one can come up with similar use cases for other people.) For example, that could give me the "year-end statement" of all the content I authored all over the web with the same OpenID.
• Advertising preferences. Let's say I'm in the market for a new bicycle but not a new car. Is there some way I could express that preference on my OP, and all RPs where I use the identity could realize that they waste their money showing me car ads, but that I'd love to see bicycle ones instead?
• Electronic vouchers. Why can't a site A give me an electronic voucher for something that I then can use at site B? Like the coupons that I get at the grocery-store checkout (in the US): "you just bought a flash light, here is a 10 percent off coupon for batteries." It might be almost as easy as agreeing on a particular field in attribute exchange. These are the kinds of use cases that could unlock a lot of investment money into OpenID ...
• Non-browser login. OpenID Authentication makes the assumption that the user's software is a web browser. It's hard to do OpenID from other types of software (e.g. RSS readers, word processors, ssh...) but it would be good if one could do it.

What's your list?

Update 13:18: http://mylid.net/mglcel suggests: "What about social networks storage on OpenID?" Sounds like a good idea, but perhaps a bit difficult politically. That shouldn't keep us from working on it, though.

If you want to learn about OSIS, I put my presentation on OSIS at last week's European Identity Conference on-line here.

For the first time, I'm trying out slides plus audio; let me know how it works. This is an export out of Keynote; I was hoping the file would be smaller, but neither Quicktime nor Flash seem to optimize the slides well when exported from Keynote with sound.

Like last year, OpenID has won the Webware award, in the "utility" category.

They write:

OpenID was created to solve one of the Web's biggest annoyances: log-ins. You've already got a verified identity on one site, so why do you need one for every place you visit? With OpenID, site owners can simply built it into their Web apps and services, letting you use your verified credentials from one site in place of having to sign up for yet another log-in.

The hope of OpenID is that it becomes a standard and universal system across every site, letting new sites spring up and have users more comfortable with signing up with less hassle. As of right now, there are nearly 10,000 sites that support OpenID, and many large and popular companies are adding OpenID as an option for new user registration.

Wow! A long way from back then.

Thanks to Charles for putting the banner together this time around. Amazingly, my layout from an early OSIS presentation at an IIW keeps surviving!