Identities of our own

It really bums me out sometimes that the vision of OpenID that was about controlling your own identity for SSO on the web never flourished.

The latest spec, OpenID Connect, still embodies the original vision, but in practice no one does discovery or auto-registration to support user-entered identities. Instead, everyone just hardcodes an assortment of buttons for Google/Microsoft/Facebook/etc.

With OpenID 1 and 2, “discovery” wasn’t relegated to an optional step. It was a fundamental piece of the protocol. This leveled the playing field for identity: to support any given OpenID you had to support all. It seems to me that by making discovery optional, the field tilted severely in favor of coalescing corporate power.

Why the change? Well, it’s hard to look at the author lists of the two specs side-by-side and not see the case for regulatory capture. Big corporations start participating, they sway specs in their favor, away from interoperability, and so they get bigger. The problem compounds.

OpenID 2.0 author list OpenID Connect author list

This sort of influence exists in lots of standards and leads to increasingly walled gardens that are “open” in name only instead of flourishing, truly open spaces.