A few days ago David sent me a link to his post responding to Stefan's (very long) slam of OpenID. He did a great job articulating how many of those who have been critical of flaws in OpenID have been actively engaged with the community in finding solutions to the problems.
From Gnomedex one of the things I came away with was a deepened appreciation of the community that we have in technology generally and identity in particular. There are a lot of smart, good people working together despite our different personal world views, personal quirks technology backgrounds and visions for the future of the technology.
There are a lot of different perspectives in the social networking datasharing space. Marc Canter called the Data Sharing Summit to figure it out - face-to-face. (I raised my hand and said I would help facilitate). It is going to be Sept 7-8 in Richmond CA (Bay Area). Face-to-Face for a day can be like 6 months on a mailing list. It is invaluable and the text dialogue afterwards is improved in quality and effectiveness.
Ok back to Stefan:
Personally, I can't be bothered much with a sign-on system for blog comments and social networks, but if it makes other people happy, great.
In fact social uses of persistent identity are actually interesting and just dismissing it as pithy isn't really productive.
OpenID is a starter way to for websites to start using identity tools for people. Thousands of websites have adopted it - cause it is easy to do and it works. You could get up and praise OpenID for existing cause it is warming all those Relying Party sites to the idea there are identity tools and services they can offer to their user-bases. The challenge that Stefan and everyone else has with more complex visions of how things could/should work is how do you make it 'easy' - both for users and developers.
I think nuances that Stefan articulates are really important.
"selective disclosure, authenticated anonymity and pseudonymity (possibly with revocation capabilities), improve availability, enable privilege and entitlement management, and provide security against insider attacks originating from the Identity Provider,"
These need answers and they are not going to come from one company with one solution alone. Community engagement is needed - so I encourage all to put your solutions into the mix and lets see if we can figure this out.
It would be very worrisome to me, however, if a URL-based system (whether OpenID or a variant) would become the basis for "serious" identity and access management applications such as e-commerce, e-health, e-government, general credential systems, and so forth.
Your challenge is that people (consumers, business people, legislators) can readily comprehend identifier system that work like this. If you and others don't want the world to work like this then it is up to you to figure out how you explain complex math in a way that doesn't go into the detail but just explains it in a way that 'makes sense.' I have had the luxury of sitting down a few times and listening to you explain 'how the math works' and it still seems a bit 'mind boggling' but "I trust you" - basically it is where peoples trust lies...is it in 'human' trust (my openID provider isn't going to take my password and log into places for me) or is it in 'math trust' (these really smart guys have these groovy algorithms that mean only "I" can access my stuff and I can share information with them without really telling them who I am). I hope the latter can work - that the systems can evolve and people will "get" them. However it is a communication challenge and an adoption challenge that is not easy.
I have encouraged Stefan to come to community events many times. . I do hope he takes up my invitation to come to the Internet Identity Workshop December 3-5. I hope you will all encourage him too.
Related posts:
Unconference.net
