Thursday, May 10, 2007

OpenOpenID

A central tenet of user-centrism is typically expressed along the lines of
users choose their identifiers, it's not handed to them by Da Man.

In my own experience, I've taken advantage of the great freedom this provides by choosing to preface all of my OpenIDs with 'paulmadsen'. Those 'Paul Madsens' that follow me will of course have to resort to the normal trickery, (e.g. 'paulmadsen2012', 'newpaulmadsen', etc.) when creating their own OpenIDs.

I've seen no details yet, but I'd be willing to bet that Sun employees will not be choosing their own OpenIDs.

Another key piece of OpenID functionality is delegation - the ability for a user to show one URI, but to authenticate elsewhere. Will Sun support this? i.e. allow an employee to continue to present a non-Sun OpenID to RPs, but to delegate this back to Sun for authentication? or allow an employee to delegate their Sun OpenID to an existing external OpenID? The former possibly, the latter almost certainly not.

Neither will employees be able to keep their Sun-issued OpenIDs once they leave the company (given the semantic of employment status ascribed to the identifiers).

Will employees opt-in for the program, or rather simply be presented after the fact with their new URI? (I contend that my customer agreement with AOL gave them no such freedom, does Sun's employment contract?)

My view is that Sun's deployment of OpenID (which I predict will be called OpenOpenID) should not be considered user-centric (not that I've seen anybody make the claim).

Here is my point. Is it possible (and I mean no offense) that OpenID, as a technology, cannot guarantee user-centric deployments? Indeed that no identity technology can?

On the other hand, is it conceivable that other technologies, inevitably labelled/pigeon-holed as 'enterprise only' by the 'user-centronoscenti', could be deployed in a user empowering user-centric manner? Again, no offense meant.

2 comments:

Mark said...

"I've seen no details yet, but I'd be willing to bet that Sun employees will not be choosing their own OpenIDs."

Neither have I, but another possibility is that the OpenID URI is their (optional) Sun employee blog URI.

Gerald Beuchelt said...

To answer a couple of questions:

1. We are still thinking about how the URIs scheme for openid.sun.com will look like. But keep in mind that users at blogs.sun.com can choose whatever blog name they want.

2. Delegation of any other OpenID URI to the Sun IdP will definitively happen, just as delegation from openid.sun.com will *NOT* happen (this would defeat the purpose of the Sun IdP to a large extend).

3. After an employee leaves the company, the OpenID will be deactivated.

4. This program will be voluntary - employees will have to opt-in. In this sense and by the fact that the users will have control over their data, the program is user-centric.

I agree with you that there is no such thing as 'built-in' user centricity, or - conversely - enterprise-centricity (as the inverse to user-centricity). It is largely a parameter of deployment.