Tara, the author of the PassPack blog, commented with several
questions. I'm going to answer them here because to do in the comment,
I think hides it too much from view.
I don't sustain that OpenID goes against free will (that makes no sense)
I do sustain that issuing OpenIDs without asking takes away my freedom of choice.
I'm of the position that all of this user-centric stuff (OpenID, CardSpace, etc) are inherently not that different from what we currently use as our primary electronic identifiers - email addresses. Thus I don't think the fact that a company like AOL offering OpenID really limits you in any way.
Of course this is very hard to predict at the moment because we have a heck of a lot more OpenID providers than we do real service providers (yes, you can comment on each others blogs how great OpenID is, but until something like Amazon, BN.com, etc allow me to use to OpenID/CardSpace to manage my account with them, it's a niche).
Tara -- "My post was in direct reaction to the Estonians being issued OpenIDs in relation to their National ID cards. I've since been assured that this won't happen (no OpenIDs will be issued, http://martin.paljak.pri.ee/2007/05/25/openid-smart-cards-and-security-risks/) - but how long will it be until something like that does happen?"
Personally - even this had been the case - I don't think this would necessarily be a bad thing. Governments issue identities all of the time to us. For me - I have a Social Security Number, a Passport number and a driver's license. All are forms of government issued identities.
It could help facilitate more efficient interactions with the government (from everything from paying the water bill, registering your car, to allowing for more effective communication with your elected representatives).
It could also help with some of the trickier issues we face in online identity management today such as "adult-only" services (not just the dirty picture stuff, but things like buying alcohol online or dating services) is that we don't have a good system for saying "Yes, you are over 18 thus you can visit this site".
A good national identity service could allow you to prove that claim (I'm over 18) without having to say anything else about you.
As American's we've got contradictory wiring in our brains on government identity services - mostly bred from 50+ years where the key phrase of living in a "evil society" was "show me your papers" asked by scary government official.
Meanwhile - we let our actual private identity information be shared in non-governmental settings without much thought of the risks. Which is probably how it should have been - market creation generally leads rule-set generation.
My point is - electronic government identity is not necessarily a bad thing by itself. The tough part is how to implement properly.
Aren't we setting the precedent now?
To what extent is AOL "issuing without asking" different from a government doing the same?
Obviously they saw a business opportunity by offering identity services to their customers/partners via OpenID and now SAML2 (and I think they also have their own proprietary system, but OpenID and SAML2 seem to be preferred which is probably wise).
If they made the correct choice - they will be rewarded and their customers will benefit as well.
If they made the wrong choice - either customer's don't like this and don't use it OR partners don't materialize in a fashion that benefits everyone involved - then it will not survive.
More choice is a good thing. I agree 100%. So why shouldn't I have the freedom to choose who is (and who isn't) my OpenID provider?
Just because AOL is now an OpenID provider doesn't mean you have to use AOL as your OpenID anymore than because you have an AOL Instant Messenger account means you have to use AOL for your email.
It could be possible that some sites may give you extra benefits if you use a particular OpenID provider but that's not fundamentally different than a local restaurant giving you a free appetizer if you bring in movie ticket stub from the theater next door.
Just a note, but I think it's important for the context:
The title of my post isn't "A Great Thing Run Amok?", it's "A Great
Thing Going Amok?" - it's meant to be a heads up, not an accusation.
Thanks for pointing this out, I updated my earlier post with the correct title.
So... is it going amok?
I hardly think it's going amok - most people have no idea about OpenID/Cardspace/IGF/SAML/Federation/User-Centric Identity. This is still very early in the game.
Is that a risk? I can see it happening. Estonia was a scare, ok. But next time?
Are there risks? Sure but risk also means reward.
The hard part is how to manage the risks - which I'll admit is not something that is very easy -in particular since humans don't naturally seem to be very adept at risk management.
Sorry, I bombarded you with more questions than answers here...
Thanks for opening up this discussion.
Cheers,
Tara
I think they were good questions. Hopefully I've given good answers :).
.
