OpenID Connect? Messina vs. Obasanjo

Chris Messina thinks the OpenID brand should come to mean a package of a number of related “Open Stack” technologies, called OpenID Connect, and start to compete with Facebook Connect.

Dare Obasanjo disagrees: he thinks we only need an OpenID Connect if there were multiple incompatible implementations of Facebook Connect-like products from multiple players, to standardize best practice.

Who is right?

Both, I think. They represent two different points of view that I both sympathize with. I like the first better but the second one might be more realistic. I only realized this a few months ago, this is as good a time as any to attempt to explain this:

First I have to make a detour: OpenID (and related “Open Stack” technologies) are fundamentally interoperability standards. If I have a website and you have a website, OpenID enables our mutual customers to do something interesting by “connecting” some pieces of my website to your website. Take authentication performed on my website to your website, for example. Move data, etc. It’s important to realize OpenID doesn’t do anything that can’t be done already by a site by itself, or within a tightly coupled federation of sites. Instead, OpenID is about interoperability between sites managed by different entities that only agree on the OpenID interoperability specification.

How do successful interoperability standards come into being, and how do they continue to evolve?

I’m not a technology historian, but it appears to me that they usually emerge after several companies have implemented similar, proprietary ways of interoperating, and the potential adopters of such proprietary specifications revolted saying something to the effect of “we can’t afford implementing half a dozen different ways of interoperating with you guys, we need to have one way for the whole industry.”

I think that is essentially Dare’s point. He’s asking where everybody else’s (MySpace, Google, etc.) products are that are like Facebook Connect, and finds very little. His conclusion: this is not the right time for an OpenID Connect.

Chris’ point comes from a different perspective, which is: let’s make the web a better place, and collaboratively design a set of new capabilities that help us all. I understand that perspective very well, because I, like many others, was preaching that perspective ever since I got into that digital identity business in the first place. The trouble is: it’s like molasses, and nothing much ever happens. So far, that has been true about an OpenID Connect, too, for which people like Chris and myself have been asking for for at least a year or more.

I wonder what the newly expanded board of the OpenID Foundation thinks of it. There are enough new faces, in particular from non-technology-platform companies on it that the dynamics may be different. Looking forward to seeing what comes to pass or does not.

5 responses to “OpenID Connect? Messina vs. Obasanjo”

  1. OpenID is a technology, a protocol. As Chris describes it, OpenID Connect is a product. Does the foundation want to be in the business of marketing a product?

    Also Chris’s new position could let people see this proposal as a “stalking horse” for Google in it’s marketing war with Facebook and Twitter…

  2. […] Johannes Ernst’s Blog » OpenID Connect? Messina vs. Obasanjo – view page – cached Chris Messina thinks the OpenID brand should come to mean a package of a number of related “Open Stack” technologies, called OpenID Connect, and start to compete with Facebook Connect. […]

  3. It’s evidence enough for me that I’m getting asked commonly “Should I implement Facebook Connect or Twitter Connect?” that we need to bolster OpenID’s profile in the broader web ecosystem. The growing use of OAuth doesn’t necessarily help things on the über-interoperability front either, since OAuth is good for tightly-binding one site wither another [known] entity like Twitter or Facebook.

    The utility of OpenID is to bootstrap and negotiate a relationship between two unaffiliated parties — as I might email you from my shiny, new email address without you having ever seen it before. Until we have the same kind of emergent social connectivity for non-email data, we’re going to be running around in circles.

    I take Dare’s point — it’s justified — but just because something doesn’t “apparently exist” doesn’t mean that there isn’t enough existing behavior that demonstrates the desire and need for something like OpenID Connect.

    Put another way: what if OpenID Connect DID exist? And let’s also pretend that it’s fscking awesome and everyone loves it! Now what? Well — for one thing — the fears people have about Facebook would be greatly reduced since people would have the choice to leave Facebook without worrying about losing touch with their friends — since they could choose a different social provider and still connect with all the same people that are important to them.

    OpenID Connect isn’t just about addressing the single-API providers in the marketplace — it’s about creating a viable path for them to continue to advance and evolve their offerings for wider numbers of people. You don’t get there without more interoperability and without commoditizing the uninteresting stuff like authentication and authorization APIs.