Thursday, February 15, 2007

Is it an AOL ID or an OpenID?

My friend (yes, I think I have one or two of those), George Fletcher, from AOL has started blogging and has broken through a threshold and actually written two blogs so far this month (and we're only just over half way through the month). Go George!!!

His latest blog entry discusses AOL's OpenID implementation and raises the question:

In the "adoption and use" department... Given that many AOL users will not realize they have an OpenID, it would be great if the help text for "what is an OpenID?" on relying party "login" screens would mention that if you have a LiveJournal or AOL account, you already have an OpenID. This isn't very inclusive so maybe there could be a link ("Do I already have an OpenID?") to a wiki page or something that could be updated as more OpenID Providers become available. This isn't that important for those who explicitly create OpenID's at OpenID providers, but is important for those consumers who have an OpenID by virtual of having an account for other services.

This falls into a discussion about whether or not the user is using their "OpenID" at the relying party, or are they using their "AOL ID" at the relying party.

I would think that AOL would want the user to consider that they were using their AOL ID and I would expect most users would understand that.

However, the OpenID folks seem to want the user to know they have an ID that is associated with the OpenID protocols and therefore understand that they aren't just using their AOL ID, but using their AOL ID via OpenID protocols (or, perhaps, that their AOL ID is actually an OpenID).

To me that just seems to complicate issues for normal users who don't understand (and don't want to understand) protocols or bits or bytes. All they want to do is to be able to leave comments on someone else's blog.

In the Liberty Alliance and in OASIS SSTC, we've always thought that the user wouldn't know or care they were using SAML or Liberty protocols to SSO into a relying party. The IdP and the relying party would care since they wanted security and interoperability, but not the user... The user just wants this stuff to work.

Tags : / / / / /

No comments: