Josh (the blog)

Hey there. I’m Josh, a SydneyCanberra-based maker of Internets. I don’t update this very often.


OpenID again

I’ve mentioned OpenID here and here before (the first only in passing), in the context of fragmenting social networks and LiveJournal. By the way, check out the second of those posts… for meta-writing/meta-blogging, it’s (IMO) surprisingly good! I was pleased.

Anyway — OpenID is still around 10 months later (though the spec was last updated around the time I last wrote on the matter), have announced they are now an IdP for it, and it seems everyone wants to be a provider, not a consumer (in OID spec parlance, consumer means the website requesting verification of an Identity — “end user” is the term given to an actual human user).

In fact, is the only OpenID consuming site of consequence that I’ve encountered thus far in my travels. Which is, to say the least, slightly perplexing.

I’m aware the whole point of OpenID is that it’s a vastly decentralised spec that enables myriad providers to exist, but it seems somewhat redundant (in the sense in which that means “pointless, without purpose”, not failover-type redundancy) if there does not exist a single consumer of consequence!

And, let’s face it, why should being a consumer be attractive? You know less about your customers, they can bail on you more quickly, and… all of a sudden, advertising is the only way of monetising a website. JanRain operate “MyOpenID: Your first (and last) identity provider”, as well as a couple of services that use OpenID, and have (to my eyes, at least) no conceivable way of generating revenue at present.

Which is potentially fine, but completely stupid if that’s happening on a wider scale. As a concept, OpenID has much to offer — I just wouldn’t use it in CYIADA. I might consider it for smaller projects (commercial clients), but, really, I think it’d have a better chance if Myspace were an OpenID provider. And we all know what they’re like when it comes to web standards (and general usability issues)!

Plus, of course, there’s the issue of the popularity of up-stream providers if you want to verify against something other than OpenID (like, for example, someone’s Google account — which you can do quite easily using various API tools they provide). With anything youth targeted, there’s a special impetus that we don’t really see in other places. I read this absolutely hilarious comment on a great analysis of an article about Myspace:

It’s easy to imagine teenagers as a pack of wildebeests on a grassy plain, simply running with wild abandon.

Why yes, yes it is. They’re not (article has more on this), but the bottom line is if you’re using external verification services, you’re dependent on the existence and longevity of these services for the existence and longevity of your services, not the least in user profiling and building up meaningful market data so you can adjust your mix to a known audience.

You don’t have the same degree of control over these things, and there’s a trust relationship there beyond just the security/phishing issues side of things, that most businesses don’t want to touch with a ten foot pole. With good reason.

OpenID feels like a wonderful technology in a chicken-egg situation. It’s still just too bloody geeky for your average LJ user to get on board with. And they’ve got it easy. For anyone else, it’s completely impossible.

Here in Sydney, we could probably get away setting up verification against Windows Live simply because that’s what people use here, as I have noted before (about halfway down the post linked). But developing different authorisation schemes as a matter of localisation is most definitely not in my book of best practices (if I were ever to write one :P) — so, instead, fragmented Internet identities persist.

That bugs me.

If you have any answers or thoughts… let me know. Blog about it and send a pingback/trackback. That’s one of the few open standards that’s worked well on the web, albeit with plenty of spam abuse, but there’s of course the problem that not enough people are socially blogging aside from software developers and design geeks and… whatever category I fit into (“web strategist” is still what I’m calling myself… we’ll see how much longer that sticks) — so, of course, there’s no instinct to reply in this manner.

In the same way, developer and business instinct is to build your own authentication and profiling platform. Is it worth resisting?