In my blog entry about CardSpace and OpenID (http://dev.aol.com/blog/markdeveloper/CardSpaceAolOpenID) I logged on to http://dev.aol.com with an account from http://www.myopenid.com.

- Mark Blomsma

Each site will still have their account info from their users… unless they choose not to collect any additional info (like for example email, names etc.)

I believe the issue is more that they need to figure out how to associate their account info with the OpenIDs. And possibly how new account creation retrieves one of the ‘personas’ details associated with the OpenID. Heck why not allow the user to upgrade the internal account info with all the details from the persona of OpenID if just requires one click users might be willing to share more (optional) details…

Now that is possibly adding some valuable data for the big guys!
and yes I would update this internal account data (keeping it current) like my address much more likely if it required one click.

Michael Arrington of Techcrunch posted an article about OpenID yesterday about the big four (Microsoft, Yahoo, Google, and AOL) becoming issuing parties of OpenIDs but not relying parties of OpenIDs.  In English that means that you can get an OpenID a…

Read this: “OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.”

Well, that was something were those big FOUR put lots of time, energy and dollars in…first rule in their businesscases; get many registrations, also called profiles; a profile is worth loads of dollars and your company might be valued based on that number.

another thought from my side, Yahoo tried to buy smart…Flickr etc.
here comes OpenId;

“For geeks, OpenID is an open, decentralized, free framework for user-centric digital identity. OpenID takes advantage of already existing internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people are already creating identities for themselves whether it be at their blog, photostream, profile page, etc. With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins.”

Where is the potential, the upsell for the BIG FOUR? or am I missing something?
if so, in that case, sorry!

Reinout te Brake
Group Strategist
SPILL GROUP

With OpenID everything is controlled in one place and so if for some reason an account was compromised all access can be shut off from one area as opposed to going to every site I had an account on to reset my details.

Also many OpenID providers offer security options beyond a simple l/p. I work for Vidoop and we have a two factor system involving activating a browser and using our ImageShield which shows images with letters associated with them. Each image is from a category you select at sign up, the letters displayed on the images form a random access code. The images change everytime and so do the letters making the system resistant to currently prevalent forms of hacking (phishing, key logging, …). We have account notifications as well so you can get a message any time your account is used for anything. I would trust my banking, medical, or other mission critical data to be secured by a myVidoop OpenID account.

There is a cool post up about why/how sites interested in being a full blown IDP should check out simply supporting OpenID delegation:
http://steven.bitsetters.com/a.....n-ship-it/

Interested to hear people’s thoughts on this… though at the end of the day I agree we still need more RPs and that killer OpenID app…

Being a lawyer, you should know this. The legal departments of the big four will have a very hard time signing off on accepting the liabilities that are associated with becoming an OpenID relying party.

What does OpenID provide for a relying party, in terms of assertions that another party’s authentication of a user is “trustworthy” and therefore should be allowed in? If there is no mechanism for Yahoo to trust the fact that Google’s authentication of this user is trustworthy, why would Yahoo want to accept the login authenticated with a Google OpenID? Who is liable in this case?

OpenID has all the technical details worked out in terms of how to exchange authentication information and credential information. But OpenID has no technology that conveys trust. And trust is not something that can be done technically. It’s a business agreement.

I think that’s why most of the relying parties that accept openIDs are web 2.0 ‘toy’ web sites. Try to find a relying party that offers a mission critical application, like online banking.

Until the trust issue is resolved, it will be slow going.

The Yahoo model lets the users associate a Yahoo!ID with several email addresses. However, login must still be done with the Yahoo!ID.

The Google model is quite confusing, by allowing both GoogleID and email addresses to have their own Google accounts. Lately, Google has forced email-address accounts to create their own GoogleIDs, but Google has also allowed GoogleIDs to “manage” email-addresses. However, the problem gets worse when email addresses are managed by Google Apps for Domains. I do not believe that Google has thought this “clash of IDs” problem through yet completely.

The LinkedIn model is perhaps the simplest in that login is OK for different email-addresses. However, the LinkedIn service is much less comprehensive that those of the big 4.

Consequently, the big 4 being Issuing Parties is a good step. Don’t know if they can do much more.

http://jyte.com/cl/there-are-d.....ng-parties

It’s still all hype and little progress, which is not surprising, given the incentives inherent in the architecture of OpenID.

Are the Big Internet Companies (AOL, Google, Yahoo, Microsoft) really committed to OpenID or are they merely exploiting it for PR purposes? That’s the question Mike Arrington asks today over on TechCrunch. When I last wrote about OpenID back in…

I think any discussion of how to evangelize OpenID to the general public also requires the foundation to clearly articulate the value of being a relying party, otherwise it risks stalled growth when users finally decide to get an OpenID, but have nowhere to use it. JanRain claims 8,000 relying parties (and David Recordan claims 11,000 above), but I’ve seen little justification for that number; OpenIDDirectory.com lists about 530 or so OpenID-related sites, and 60 or so of them are identity providers. Demonstrating value to potential relaying parties also requires showing, in no uncertain terms, just how many people already use it.

To overcome this problem, there has to be real value for a service provider to become an OpenID relying party. These benefits might include (warning: businesspeak ahead):

1) Expedited customer acquisition: OpenID allows user to quickly and easily complete the account creation process by eliminating entry of commonly requested fields (email address, sex, birthdate), thus reducing the friction to adopt a new service. In addition, the continued ability to access this data each time the user logs in offers the additional benefit of maintaining an up-to-date picture on the user.

2) Reduced user account management costs: The primary cost for most IT organizations is resetting forgotten authentication credentials. By reducing the number of credentials, a user is less likely to forget their credentials. By outsourcing the authentication process to a third-party, the relying party can avoid those costs entirely.

3) “Thought leadership”: There is an inherent marketing value for an organization to associate itself activities that promote it as a thought leader. It provides an organization with the means to distinguish itself from its competitors. This is your chance to outpace your competitors.

4) Your competitors are already doing it: Whoops! So you missed out on number 3, so you have to do it, otherwise you’re falling behind the times. Ketchup!

5) Access to user data you don’t already have: The real value for a relying party is not in authentication, but in being able to quickly and easily extract additional information about the user to enable them to better serve the user, right from the very first interaction.

6) Simplified user experience: Logical follow on from 1 & 2. However, it’s at the end of the list because that’s not the business priority. The business priority is the benefit that results from a simplified user experience, not the simplified user experience itself.

The key sticking point, of course, is #5. No identity provider wants to undermine its own business by giving away all the data they’ve carefully gathered on the user. Does beg the interesting question if you’ll see OpenID become a tiered service - one where a relying party can pay the identity provider to access additional data on the user.