A Big OpenID Relying Party: Orange

Tue, 22 Jul 2008 20:36:00 PDT

Ariel Gordon, in charge of everything identity at France Telecom / Orange, tells me that Orange.fr, their portal, is now OpenID-enabled.

This must be one of the largest OpenID Relying Parties so far. Congratulations, Ariel!

[permanent link]

What's Next For OpenID?

Thu, 17 Jul 2008 13:18:00 PDT

While OpenID 2.0 has certainly been a big step forward, it's clear that much technical work remains to be done to make OpenID as useful and as broadly applicable as possible. (And don't get me started on how much marketing work needs to be done...)

Here's my list of what I'd like to see us in the OpenID community work on from now through 2009. We don't need to do all of it at once of course. I'm blogging this so I can get some feedback ...

Note: I do not know how to solve all of them, but then, that's what we have the brainy OpenID community for ;-)

Sessions. If I'm authenticated at 1 OP and 5 RPs, all 6 of them are attempting to figure out independently from each other whether or not I'm still at my PC, and when they should expire their session cookies and challenge me again. It would be more user-friendly, and more secure, if they could somehow figure this out together. For example, RP 3 should be able to ask the OP "My user has not done anything in his session in the last 15 minutes, any indication that he's still at this PC?" and the OP should be able to answer "He's been continually using RP 5, with less than 10 seconds between page views ever since, so you can keep your session open." Perhaps single-sign-out also falls into this category.
OP-initiated SSO. In LID, it's very easy to put a HREF together that, when clicked on, sends the user's browser to a site and authenticates them, zero user input and zero redirects required. In OpenID Authentication 1 and 2, that's much harder to do and might not work in the general case. Let's fix this: SSO-enabled bookmarks are really useful.
Browser functionality. The Mozilla guys always wanted to hear from us in the OpenID community how to best add native OpenID support into the browser. What about we show them, preferably with working code?
RP requests for particular credential types. A range of OPs now has more than one credential type they support, sometimes as multiple factors to be used together. It would be nice if not only the OP could tell the RP what credential type was used, but also let the RP ask the OP for a particular credential type. This is one of the use cases in the PAPE draft, so perhaps all we need to do is get it finished.
Distributed QA. We need much better processes for letting our users tell us that the combination of OP X and RP Y somewhere on the net does not work on Tuesday. And then we need a process that makes sure X and Y fix it within our lifetimes. Even better, a real interop setup that runs once a night or something like that and tests "everybody" on the net who does OpenID.
Yadis / XRDS-Simple harmonization. Why XRDS-Simple was never simply a revision 2 of the Yadis spec, I'll never understand. But regardless, going forward we need one document, not two.
Something interesting with Attribute Exchange. I don't know what it would be, but there must be some interesting application scenarios? Right now we have this largely unused spec on our books. What do we need to do to make it used more/more useful?
Security. We need to take a good look at whether we can turn some of the SHOULDs into MUSTs in the specs and thus get more secure.
Non-repudiation. As the secret is symmetric in OpenID Authentication, OP and RP cannot prove to a third party whether the OP or the RP pretended that an authentication transaction took place (or not). It would be good if that could be unambiguously decided. For example, in LID, a time-stamped GPG-signed transaction can only have been created by the IdP, as only it has access to the private key. Can we have similar functionality for OpenID? This would raise the comfort level of commercial implementors as they could prove liability much more easily in court.
Account recovery. If I create an account at some site S using OpenID X, but I later lose OpenID X (e.g. because I change jobs, because the provider went out of business, because I got kicked off the service, whatever), I can't access my account at site S any more. That's a non-starter and needs to be solved.
Mobile user experience. Need I say more?
Personal activity tracking. If I do 5 things at 5 different sites, but using the same OpenID, it should be possible for some piece of software to recognize that and give me some kind of aggregated view. (This use case is for me, as the owner of the identity, but one can come up with similar use cases for other people.) For example, that could give me the "year-end statement" of all the content I authored all over the web with the same OpenID.
Advertising preferences. Let's say I'm in the market for a new bicycle but not a new car. Is there some way I could express that preference on my OP, and all RPs where I use the identity could realize that they waste their money showing me car ads, but that I'd love to see bicycle ones instead?
Electronic vouchers. Why can't a site A give me an electronic voucher for something that I then can use at site B? Like the coupons that I get at the grocery-store checkout (in the US): "you just bought a flash light, here is a 10 percent off coupon for batteries." It might be almost as easy as agreeing on a particular field in attribute exchange. These are the kinds of use cases that could unlock a lot of investment money into OpenID ...
Non-browser login. OpenID Authentication makes the assumption that the user's software is a web browser. It's hard to do OpenID from other types of software (e.g. RSS readers, word processors, ssh...) but it would be good if one could do it.

What's your list?

Update 13:18: http://mylid.net/mglcel suggests: "What about social networks storage on OpenID?" Sounds like a good idea, but perhaps a bit difficult politically. That shouldn't keep us from working on it, though.

[permanent link]

Congrats Marc

Wed, 21 May 2008 17:12:00 PDT

... for landing and deploying Bell Canada as a customer for his social networking software.

Instead of just competing with Ning, it looks like he's setting his sights higher on Google, Facebook and the like. Takes guts. Congratulations!

[permanent link]

Brad Templeton / EFF: "OpenID Is Evil"

Tue, 13 May 2008 16:11:00 PDT

Caught your attention? ;-) I think that's why he chose this title.

I just attentended a talk with that title at IIW by Brad Templeton, who is the chair of the board of the Electronic Frontier Foundation and as such pretty influential. He wasn't actually talking about OpenID itself, but about pretty much all technologies that make it easier for users to share identity information on-line. I think his core points are as follows:

The easier it is for individuals to share identity information on-line, the more often it will done, and the more often sites will require it. As a result, more personal information will be shared, which is worrisome from a privacy perspective.
On one hand, user-centric idea is a great idea. On the other hand, it removes the ability of the users to negotiate with a similar clout as the service providers, and as a result we might actually get less privacy than in case of a more centralized system such Microsoft Passport, with could have benefited from the negotiation clout of a Microsoft. (He was clear that he was not advocating that, of course.)

He was clear (after he had stated the title ... ;-)) that he wanted to be a contrarian with this talk, and that he consciously overstated his case. Primarily to make sure that we technologists building these technologies understand the unintended consequences.

I think he's right about both points, but I also think that there are many counter-trends to that. For example, the easier it is to share information on-line, the less need there is for service providers to store the information, which leads to a net increase in data security (e.g. no backup tapes of my address can be stolen if the service provider does not store it because they know that I can very easily provide it again and thus they have the option not to store it.)

Worth blogging and thinking about though ...

[permanent link]

Johannes Ernst's Blog

A Big OpenID Relying Party: Orange

MySpace and OpenID?

What's Next For OpenID?

Congrats Marc

Brad Templeton / EFF: "OpenID Is Evil"