Simplifying OpenId

[Martin Atkins]

S. Alexander Jacobson wrote:
> On Mon, 9 Jan 2006, Martin Atkins wrote:
> 
>> You're adding new DNS RR types now? Bang goes any chance of adoption.
>> Nameservers won't support it for years, and in the short term most of
>> the freebie DNS hosting services can't even manage SRV records, let
>> alone some wacky new one you've just made up.
> 
> Users understand email as identity.  Support from a few just a mail
> server operators (Google, AOL, MSFT, and Yahoo) would result in support
> for ~100m users basically instaneously.  It is hard to see how any
> protocol that requires user adoption of new homepages/domains is even
> close to as adoptible.
> 

This isn't how "adoption" works. Things are first tried out by early
adopters. Early adopters are just random geeks and other interested
users. These early adopters must be able to do this thing for themselves
in the short term. No big providers — especially those you listed — will
support this until it's already in common use and it seems to provide a
benefit.

You have to grab the interested early adopters to start with, to set the
ball rolling and get them going out there and asking other sites to act
as relying parties. I've seen a few early adopters asking — completely
unprovoked by me — for OpenID consumer support on a bunch of different
sites I read. OpenID has a small group of early adopters already, though
admittedly it could do with some more. I'm sure the support of
LiveJournal is helping, but then LiveJournal doesn't provide email
service* so your proposal would also suffer in that regard.

On the other hand, web sites are one thing that "the public" has
mastered. I'm not going to claim that any old guy off the street and
write a web page, but certainly more people can do that than can
administer a DNS domain and run their own email service. The barrier of
entry for an early adopter in a web-based approach is much lower than in
your approach.

I agree with all of your other rebuttals, I think. I did misunderstand
your proposal a little to start with. I actually quite like your idea as
a replacement for the hack of sending a confirmation email**, but not as
an identity solution.

All the best,
-Martin

--------

* LiveJournal.com does provide optional email addresses to paid
accounts, but few users actually use these as a primary email address
and would think to use it as a signup email address. The vast majority
of LiveJournal users do not have paid accounts and thus do not have
these email addresses.

** Your proposal doesn't actually function as an email validation
replacement at all, really. There's nothing to stop me setting up a
domain which does not provide email service but which answers "Sure, why
not?" to all identity inquiries anyway. This means I get to sign up with
an invalid email address, which means that your proposal will never be
adopted by those sites that for some reason feel they MUST have a valid
contact email address for every user.