I just couldn't pass up making a quick comment on Dick Hardt's provocatively titled post "Facebook Connect - fatal blow for OpenID?"  In it he suggests that Facebook Connect, which is the company's new distributed identity system, could win out over OpenID in the end.  Here is the quote...

Facebook Connect is a powerful identity system. Using Facebook Connect, a site gets access to the user’s profile data and the users friends. For sites such as Digg and Movable Type that want to make users accountable for their activity, there is an implicit reputation of the user based on the depth of the profile.

...

The promise of OpenID was to make login simple and move profile data. A number of us have been looking at using OpenID to make an accountable web. Given the momentum and immediate value of a Facebook identity system and the lack of OpenID RP deployment, one wonders if the identity opportunities of OpenID have passed.

Two points here, the first of which is stated very well by David Recordon who says...

Just as no one would let Microsoft own the protocol, no one is going to let Facebook either.

There's a lot of truth to that.  I'm not sure this is a situation where no company could ever control an identity platform but if a company did succeed they would need a lot of trust from the consumer.  That's why Microsoft has tried several times and failed, people simply don't trust them anymore.  Now that PR nightmares such as Beacon have had their way with Facebook I'd put them in the same boat as Microsoft in regards to trust.

Which brings me to point #2, despite what "community advocates" might have you believe most of the web traffic on the Internet is from about 10 big companies.  Google, Microsoft, Yahoo, MySpace, etc...  Unless a company wanting to control identity can gather the support of those companies they simply are not going to succeed.  Given Facebook is a direct competitor with several of those companies their chances of becoming the defacto identity provider are next to nothing.

Bonus Point Addendum: This is a topic for a much longer post but I did want to make one more point.  Many are saying Facebook Connect will win out because it provides access to the "Treasure Trove" that is a Facebook User's profile information.  I'm sorry, but I've never seen where the great value is in this.  Knowing what someone says their favorite movie is or what their favorite quote is doesn't strike me as ground breaking info that's going to revolutionize the web ad business.  That skepticism, by the way, is borne out by the seemingly awful return rate on Facebook ads. 

There are times in the technology world where I notice something I think is big but no one else seems to be mentioning it.  This in turn makes me a little nervous as I wonder if I'm crazy or if it really is a big deal.  That's why I was so happy to see this post by Dan Brickley entitled "When your OpenID provider goes offline..." 

My main OpenID provider is currently LiveJournal, delegated from my own danbri.org domain. I suspect it’s much more likely that danbri.org would go offline or be hacked again (sorry DreamHost) than LJ; but either could happen!

In such circumstances, what should a ‘relying party’ (aka consumer) site do? Apparently myopenid has been down today; these are not theoretical scenarios. And my danbri.org site was hacked last year, due to a DreamHost vulnerability. The bad guys merely added viagra adverts; they could easily have messed with my OpenID delegation URL instead.

In "Enterprise Speak" this is called a "single point of failure" and, as the name implies, it means a part of your system can bring everything to a halt if it fails.  These are obviously to be avoided. 

OpenID creates two "single point of failure" scenarios that I can see...

1.  Server Goes Down: Servers go down all the time on the Internet but when that happens in today's world you only lose access to one site.  In the case of OpenID every web site you visit will need the OpenID server to authenticate which means you lose access to every secure website you use if your OpenID server happens to go down.  That's a pretty big penalty to pay.

2.  Server Goes Away: As bad as the scenario above might be it pales in comparison to the scenario where your OpenID provider goes out of business.  At that point, you're just out of luck.  You've lost all access to your personal information.  In fact, in the ideal scenario the whole idea of OpenID is to prevent individual sites from getting your personal info at all.  So those sites will lack the ability to re-establish a link with you once your OpenID is gone (since the site doesn't have any personal info to question you about it can't verify your identity). 

Mr. Brickley, being the semantic web advocate he is, suggests an automated way to fix this...

one model that strikes me as plausible: the relying party should hang onto FOAF and XFN ‘rel=me’ data that you’ve somehow confirmed (eg. those from http://danbri.org/foaf.rdf or my LJ FOAF) and simply offer to let you log in with another OpenID known to be associated with you. You might not even know in advance that these other accounts of yours offer OpenID; after all there are new services being rolled out on a regular basis.

I have to disagree with him on this.  One of the things I've grudgingly accepted as a program designer is that some tasks should be left to actual people.  This is one of those examples.  I'm very uncomfortable with the idea of a website trying to automatically determine where I'd like to delegate authority over my information to and then choosing to delegate that authority for me. 

What I'd suggest instead is that website developers be mindful of this flaw in the OpenID system and allow their users to specify an alternate OpenID account.  In fact, I'd go further a say its an OpenID enabled site's responsibility to make the user aware of this flaw and strongly encourage them to get an alternate OpenID.   As recent events around Yahoo have proven (aka The Microsoft Merger) even the biggest company's OpenID support can be put in jeopardy.  So everyone needs to have some kind of backup.

(For the record, I don't think Microsoft will shut down Yahoo's OpenID support but its certainly possible at this point)

Let me start with the quote here (courtesy of Read/Write Web)...

The OpenID Foundation is announcing this morning that Google, IBM, Microsoft, VeriSign and Yahoo! have taken seats as the organization's first corporate board members.

OpenID is a protocol for authenticating your identity through a single chosen provider instead of creating unique accounts at every website you use.

The Foundation, which was formed 18 months ago, says it "will not dictate the technical direction of OpenID; instead it will help enable and protect whatever is created by the community." That often means legal paperwork (to keep a single company from patenting important open standards, for example), and that means money is needed. Cash will also help with some much needed marketing and communications efforts.

OK...this has begun to bother me. 

This has become a trend now where companies join essentially useless organizations so they can claim to support open standards that they have no intention of actually supporting.  First there was DataPortability.org and now we have The OpenID Foundation, both organizations that have no real purpose other than to "discuss" and hence are easy for big companies to use as Public Relations tools.

These companies aren't even wiling to assign vaporware status to OpenID.  They could easily say "we plan to implement OpenID at some time in the future" only to forget about it down the line (they've all done it before).  But then they'd have to stop pushing their own proprietary solutions so they won't even do that. 

Instead this will just become an appointment for some lower level employee.  He/She will attend a pointless meeting every month and that will be the extent of it because the real goal is to quiet the community who is clamoring for change not actually make a change. 

Once the noise dies down OpenID can just fall by the wayside and be forgotten. 

The saddest part about all this is that it works.  OpenID supporters will pat themselves on the back confident that they've beaten the big companies and then go on their way.  The big companies will continue to attend meetings that go no where until OpenID has fallen so far behind proprietary technology that its pointless to discuss and then it will be forgotten. Its all just a trick and not even a clever tricky at that. 

Yet people continue to fall for it.  Please, if you support OpenID, don't stop until you get a timetable for full implementation.  Because unless you have that you really don't have anything at all. 

Addendum: In the comments I'm taken to task for saying The OpenID Foundation is "essentially useless".  Just so we're all on the same page here I'll quote from their web site on what the Foundation's purpose is...

The OpenID Foundation (OIDF) was formed in June 2007 to help promote, protect and enable the OpenID technologies and community. This entails managing intellectual property, brand marks as well as fostering viral growth and global participation in the proliferation of OpenID. The OIDF does not dictate the technical direction of OpenID; instead it will help enable and protect whatever is created by the community.

I'm not sure I meant "completely useless" when I said what I did so if that seemed implied I certainly take it back.  Both the OpenID Foundation and Dataportability.org have some uses beyond being a corporate tool.  I think my issue with them still stands though in that they are benign to me.  They don't push things forward they just sit by the sidelines (as opposed to say a standards group which is actively working on the standard).  That makes them ripe for manipulation by big companies.

Anyway, my criticism really isn't of the organizations themselves.  I'm sure each was started by well meaning peole and that well meaning people are still in each of them.  I just wonder if, by the nature of the organization, they don't invite big companies to use them in the way described above.

First let me just say that I'm as Pro-OpenId as someone could get.  Were I king of the world every web site would be required to submit to OpenId and that would be the end of it.  That said, I'm not sure that Yahoo adopting it is that big a deal.  I quote from a post by Caroline McCarthy of CNet's "The Social"...

In one of the most significant moves yet in the growing push toward service interoperability on the Web, tech giant Yahoo announced Thursday that it is supporting the OpenID 2.0 standard for a universal Internet log-in.

No matter what your views of Yahoo's current stability may be, this is undoubtedly a big victory for OpenID. Not so long ago, the protocol was considered a dot-com/futurist pipe dream. OpenID was created by Web 2.0 guru Brad Fitzpatrick, who founded LiveJournal and was brought on board at Google last year as one of the most prominent players in its OpenSocial developer initiative.

Well...maybe...but I can't help but think our views of Yahoo's health are very relevant here.

I applaud a lot of what Yahoo has done over the past couple years but the reality is Yahoo has been trying to embrace Web 2.0 as a way to pull itself out of a downward spiral.  They can claim massive user numbers all they want but that doesn't mean all those people are actively using their services and we all know it.

In the end Yahoo is a company that thinks embracing this will draw customers to them while OpenId needs to woo the companies who already have those customers.  So Yahoo adopting OpenId is great but not all that helpful in terms of OpenId's eventual goal of massive adoption.

This brings me to a point I've made before which is that these initiatives have to find a way to make switching profitable for successful companies. 

In order to get those companies to adopt an open standard you have to understand their perspective which is that they are having to give up a very valuable lock-in to adopt this.  Someone has to come up with an argument that shows them their gain will be more than their loss.  I'm not yet sure what that argument is but I think it is key in getting open standards like this adopted by the majority of companies.