Tuesday, December 04, 2007

Selective Pressure

In its purest form, the OpenID philosophy forbids Relying Parties from showing any preferences for particular OpenID Providers from whom they might accept authentication claims. Thus the current tension between the 'promiscuity purists' and those who want to use whitelists & blacklists in order to allow RPs to select their OP partners with more discernment.

I'll argue that RP promiscuity (in which the RP cares little about which specific OPs it partners with) works just fine in situations where both of the below are true
  1. the resources the RP protects are such that the RP assumes no different levels of risk in accepting authentication claims from different OPS
  2. there is no other factor that differentiates OPs

At least currently, OpenID is being used in low value (money & sensitivity) applications. When there is little risk to start with, an RP will feel little different about how various OPs change that risk. So, for now, #1 is true.

And #2 has been true. Except for varying levels of support for particular authentication methods (e.g. Infocards) or different extensions (e.g. Simple Reg or PAPE), the different OPs are a level playing field from the RPs point of view.

And then Vidoop has to tip the apple cart and skew the above balance by announcing that they, as an OP, are going to start paying RPs by sharing their advertising revenue. No longer is #2 true - even if #1 is still equal (i.e. no risk differential), an RP will now be motivated for favour Vidoop as an OP, above other OPs that don't pay.

I predict two consequences
  1. RPs will attempt to guide users to Vidoop in order to maximize revenue (e.g. "I'm sorry, the OpenID you presented doesn't seem to work. Would you like to use/create a Vidoop OpenID?")
  2. Other OPs will be forced to match the Vidoop revenue sharing model in order to restore the balance and ensure they are not excluded by RPs at selection time. There will be a bidding war as OPs fight to ensure market. A single OP with big pockets will emerge.

I think I'll go reserve 'paulmadsen.openid.passport.microsoft.com'. Maybe they can reuse the old code.

No comments: