ContentNot exactly the post I want to write after a long week, but there have been several posts following the developer launch of the Google OpenID IDP. Unfortunately, those posts are inaccurate, and it is worth clarifying what is going on so no one else makes the same mistake and repeats the (incorrect) claim that Google somehow “forked” OpenID.
The first criticism has something to do with the erroneous notion that, simply because the Google IDP supports the indirect lookup of a user’s identity, this is somehow an invalid use of the OpenID protocol. On the contrary, it is using a standard technique known as Directed Identity, which can be found in the OpenID 2.0 specification here. Directed Identity allows users to enter a generic domain name (e.g.., “example.com”), rather than a fully qualified identity (e.g., “example.com/users/bob”), so that they can use their identity provider to make an informed decision about how much personal information to expose to the RP. This is a good thing. You want this. You want to be able to make that disclosure choice yourself.
Another (again mistaken) claim is that because, during the test launch, Google whitelisted the initial set of allowed Relying Parties, that the specification was somehow violated. On the contrary, there is nothing in the spec that requires an IDP to provide access to user data to all RPs (nor should it!), and in the case of the Google launch, the whitelisting was just planned for the initial launch anyway. The initial launch went well, and all RPs are now whitelisted. (This wasn’t a reversal of policy, this was the plan all along.)
The third inaccuracy stems from the second. During the whitelist-only test launch, Google could not publish an XRDS document at the root of the gmail.com domain for all users because it would fail for users using it on non-whitelisted RPs. I can see how this would be confusing if one didn’t know how OpenID 2.0 works with XRDS, but it was the right decision. And now that everyone is whitelisted, Google can publish the XRDS document on the root of gmail.com. (I don’t think that part has launched yet — in the meantime, you can use the explicit path of “https://www.google.com/accounts/o8/id” to fetch the XRDS document.)
And last, there seems to be a huge misunderstanding about email addresses vs. URLs as identifiers. URLs make fantastic identifiers — for the 0.1% of the web population that understands that they “are” a URL. Fortunately, the other 99.9% of the world (our parents, for example) already understand that they have an email address. As has become increasingly clear to everybody doing usability research on OpenID (see here and here), we absolutely need to provide mechanisms for mapping human-friendly identifiers like email addresses to identities. That’s not to say that URLs-as-identifiers should go away. On the contrary, I myself use “dewitt.unto.net” as my identifier, and fortunately, the spec is smart to allow for multiple ways of surfacing that identity. (Or more exotically, I expect we’ll see great things to come with mobile phones or phone numbers as identifiers as well.)
While I don’t fully understand the motivation behind the attacks made in those articles, I do find it rather unfortunate that they’ve been picked up and repeated by people who are similarly unfamiliar with the technology itself. I guess a lesson might be to pause for a second before repeating a rumor you don’t personally understand.
The truth is that OpenID is still in its teenage years and still has a lot of growing up to do, but in the last few months we’ve several of the biggest sites on the web launch as identity providers (nearly everyone on the web has an OpenID now), and continued improvements and additions to the core specifications, and groundbreaking usability research. Bumps along the way notwithstanding, this is forward progress.
Update:
Kevin Marks has a great response about whether or not, as Ben Metcalfe says below, OpenID forked itself by turning into more than a mechanism for claiming resolvable URLs.
I’m personally of mixed opinions about this myself, as I don’t want those more advanced use cases for OpenID overshadow the original role of OpenID as a standard for claiming URLs. In fact, I was among those not entirely in favor of putting these (admittedly valuable) new concepts into the core OpenID 2.0 spec, and would have preferred independent extensions instead. As people try and do more and more with OpenID — such as SSO, profile exchange, and non-URL-based identity mappings — this can indeed lead to what Dare calls the “square peg in a round hole” effect. But to be crystal clear, no one is forking the spec just by implementing the spec in a way it allows for.
And I stand duly chided by Kevin for the rhetorical exaggeration about whether or not the mainstream user can learn to type in a URL to identify themselves. The truth is that no one knows for sure if they can, though the research is showing that that those of us (myself included) who argued for URLs exclusively were probably hoping for too much. But as long as we can always map the user-driven identifiers back to URLs, then I do believe we get the best of both worlds.
As Kevin says, see you all at IIW!
Disclosure: I work for Google, and I represent Google on the OpenID Foundation board. That said, I’m really writing this as a member of the community, just trying to figure out how this story got so mixed up to begin with.
November 9th, 2008 at 1:54 am
Firstly, might I say this is a terribly defensive post – “I guess a lesson might be to pause for a second before repeating a rumor you don’t personally understand”, the tone all the way through it, etc.
As someone who (hopefully) is across the OpenID standard, I can understand that Google hasn’t forked OpenID. But what you guys have implemented is the first major implementation of the ‘bleeding edge’ OpenID 2.0 spec.
I think what a lot of those people meant – many of whome I would argue do have at least a vague understanding on OpenID – is really that OpenID has forked OpenID. There are a lot of people who simply don’t agree with some of the aspects of the OpenID 2.0 spec and perhaps this is the first time they have seen them in the wild.
I personally don’t believe providers should be able to whitelist RPs (and still be able to claim they remain ‘in spec’) and while I nod to the fact that emails are more ‘normal user friendly’ than urls, I would argue they are only workable for 0.1% of people. We’ve got this far with URLs, IMHO we should stick with them for the sake of consistency.
Google decided to launch something bleeding edge and try to upset the status quo (and not necessarily wrongly, at least from your position). But it set off a number of debates that I think have been valid point-wise from both sides.
November 9th, 2008 at 3:25 am
http://google-code-updates.blogspot.com/2008/10/google-moves-towards-single-sign-on.html
“One of the companies using this new service is http://www.zoho.com. Raju Vegesna at ZoHo says that “We now offer all our users the ability to login to ZoHo using their Google Account to avoid the need to create yet another login and password.”
The problem is that if you go to Zoho, which at the moment only supports Google or Yahoo! OpenID v2.0 discovery implementation, there is nothing to show on that front page that Zoho supports OpenID. It’s like Chris Messina says, if you have a credit card, it’s not much use if it’s not accepted at any department stores.
It’s all about the brand
OpenID from a marketing prospective is going to be a bigger brand than Mastercard and Visa, because it will as we know end up in Internet Explorer, Firefox and Chrome. Look at the way the BBC – (one of the world large content providers) convened a meeting in New York this summer to mull over the advantages of using OpenID as a universal login for a post public money non-subsided existence with a collection of mostly non UK media and technology companies. (For the benefit of non UK readers, many argue that the BBC license fee is a form a taxation and not a license fee.)
Eventually we know that Zoho will display the “OpenID logo” along side the Google and Yahoo! login icons when deals have been done with the OpenID provider also rans (IE They have proved their security infrastructure). I hazzard to say that the Zogo login page over time will say: Login in with OpenIDs provided by the following companies…, with a link to say why only these companies and another link to say how to be an accepted OpenID provider to Zoho users.
So what’s the problem? If an end user pops by, they are actually none the wise about OpenID in way what so ever, accept that if they have a Google or Yahoo! account they don’t have to bother about yet another user name or password. Google’s approach to market has not actually damaged the public’s perception of OpenID – because they still don’t even know about it.
Problems:
[Geek warngin] I haven’t seen any delegation settings for my Google Account.
And here is the biggest problem, look at issue concerning the misreporting of this present situation.
a) geeks b) “journalists”
Normally, with the geeks, who listens to them, but with the so called journalists, 99% of them take a press release and reheat it, or if they are the 1% they actually do some research. Then 0.5% get story right it’s miracle, and the other 0.5% make up their own story which a) isn’t technically perfect but at least research it and/or b) doesn’t quite catch the nuance of the story and it’s future impact on the readership.
Summary
I don’t think what Google have done doesn’t damaged the end user perspective of OpenID. But only time will tell how the tech journalists will cope with it. Now imagine you have one hour to wrap out a re-hash of a press release about a new technology you know nothing about… eeeek
Solution
Now that is another can of worms… :-)
November 9th, 2008 at 5:58 am
@Ben: “…while I nod to the fact that emails are more ‘normal user friendly’ than urls, I would argue they are only workable for 0.1% of people”
What, apart from the 100% of people who use them every single day to log in to tens of thousands of sites?
In what way is an email unworkable as an identifier?
DW is right. Google don’t seem to have faux-pas’ed here, except with a terribly-managed launch. I think they should be slammed for claiming a full-spec launch when it wasn’t finished yet.
November 9th, 2008 at 7:55 am
Hey Ben,
It was a defensive post. : )
I was defending Google from the claim that we forked the spec. We didn’t, and I wanted to clear that up. And I also wanted to correct those who spread that rumor.
But I’m with you — if the authors of those articles said “OpenID forked OpenID”, then I’d have a very different reaction. At Google we’re trying hard to be a good net citizen on this one, and the last thing I want is to get a bad reputation for something we didn’t do wrong.
The debate around whitelisting and URLS are good ones. So let’s have debates about that — without the undeserved accusations about forking.
-DeWitt
November 9th, 2008 at 5:42 pm
[...] Clearing up inaccuracies about the Google OpenID IDP launch » DeWitt Clinton [...]
November 10th, 2008 at 1:02 am
[...] Clearing up inaccuracies about the Google OpenID IDP launch » DeWitt Clinton [...]
November 10th, 2008 at 2:42 pm
A Mix of Microsoft: Azure, MinWin, BizSpark and Small Basic [Best of November '08 #1]…
Microsoft’s cloud computing platform Azure. MinWin part of Windows 7? Microsoft’s BizSpark startup program. Google has not forked OpenID. Ogg Theora video codec. Small Basic challenges Scratch. ……
November 11th, 2008 at 7:05 am
[...] Clearing up inaccuracies about the Google OpenID IDP launch » DeWitt Clinton (tags: openid) [...]
November 15th, 2008 at 3:05 am
[...] Clearing up inaccuracies about the Google OpenID IDP launch [...]
November 15th, 2008 at 4:26 pm
[...] Clearing up inaccuracies about the Google OpenID IDP launch As has become increasingly clear to everybody doing usability research on OpenID (see here and here), we absolutely need to provide mechanisms for mapping human-friendly identifiers like email addresses to identities. [...]