OpenID: Another Connect and Marketing

Oh no, not another post on OpenID already, you might think. Well, the new year is only a few days old and there are already three posts and tweets respectively that got me thinking about it again. But if you don’t want to read about OpenID again, just ditch this post. 😉

The Idea of OpenID Connect

Let’s start with Chris Messina’s proposal of OpenID Connect that got some attention in the blogosphere over the last few days. According to Chris OpenID Connect should be a concept similar to Facebook Connect and Twitter Connect:

OpenID Connect is a technology that lets you use an account that you already have to sign up, sign in, and bring your profile, contacts, data, and activities with you to any compatible site on the web.

For the more tekkie guys of you, OpenID Connect should leverage Activity Streams, Portable Contacts, and OAuth WRAP among others.

Sounds good? At long last, a product based on OpenID that could be marketed and is similar to its rival Facebook Connect? Maybe. But we could have that product for a long time already. Isn’t there an OpenID/OAuth Hybrid protocol? Isn’t it possible to perform discovery of a service catalogue containing contacts, photos, and much more via XRDS-Simple?

I cannot comment on the technical differences of both approaches or their shortcomings. I simply don’t know them and never really had a look at OAuth WRAP so far. I’m just a dumb enduser. But from what I can tell it was possible to build something similar to Facebook Connect that wasn’t a product but a combination of a few protocols that could work almost the same way. However, no one cared to think about a reference implementation and documented it. So at least Chris’s idea of OpenID Connect could start a new discussion – and actually much needed work – about establishing a product based on open standards. I just hope marketing efforts will follow.

Email Anyone?

Last night I spotted a tweet by Hutch Carpenter, a name which should be familiar to those involved with Enterprise 2.0. Hutch had a really simple request:

Yes, it is as simple as this: Hutch just wants an email transferred while signing up to a new service. Those of you familiar with OpenID know that it’s possible. There is the Simple Registration Extension (SREG) and there is Attribute Exchange (AX). Both protocol extensions allow transferring an email address – among other data – from the OpenID provider to the consuming website, the relying party. Though both parties – the provider and the relying party – need to support them. However this great feature is mostly unknown to even tech savvy guys like Hutch.

How come? Back in the days of the old OpenID version 1.1 most providers and relying parties supported SREG. Unfortunately, when big providers like Google and Yahoo! jumped on board of OpenID this fine extension got forgotten by most people, simply because the big vendors didn’t support it. When Yahoo! started supporting some SREG values in November 2008 it was applauded and reading some of the blog posts about it, it sounded like Yahoo! re-invented the wheel. Hey, the current SREG specification is final since June, 2006! Yes, since the summer of 2006. So no real invention in the winter of 2008.

Confusion about the OpenID Name

The next blog post suprised me a little bit and I thought the blogger was probably an exception for getting some aspects of OpenID wrong. Basically, she thought she had to pay $25 for getting an OpenID when visiting As it turned out, she was confused with the membership fee of the OpenID Foundation. Actually, I thought this would never happen. But it did and what if she was not the only one as she pointed out in the comments? Also she already had an OpenID from MyOpenID but thought it was something different, just because of the name.

OpenID Needs Marketing

Those three examples show one thing: OpenID needs more marketing! Though any marketing needs a product. So OpenID Connect or whatever it will be called in the end is a step in the right direction. Marketing should be done by those who know their job: marketers. Not developers as is the case mostly these days.

Also it’s probably a good idea to get more in touch with big tech blogs like Techcrunch, Mashable, and Read Write Web. They have turned mostly into news sites that need a story to write about. They hardly do intense research, so no one can expect them to find out the subtle technical details of something like OpenID, its extensions and related protocols. So in the end OpenID might get better press and won’t look like the inferior identity protocol to Facebook Connect.

Reblog this post [with Zemanta]

9 thoughts on “OpenID: Another Connect and Marketing”

  1. I realize I appear stupid in my blog post. Simple confusion is easily mistaken for that.

    You’ll note I got it right when logging in to leave this comment. Still, my main point remains: it’s not clear and people are going to get confused.

    Who knows. Maybe I am stupid. But, if that’s the case, you have to find a way for OpenID to work for stupid people, too, because the -internet is jam-packed with them.

    1. On the contrary, your frustrations are shared by many, if the highest rated suggestion on our idea forum is any indication:

      I hope that this year we’ll work to clean up the OpenID brand, and also make the technology easier to adopt and implement.

      As to the point about email being included in registration — well, that’s really got more to do with the user’s privacy preferences, rather than whether a service provider can provide the email! Because, you pointed out Carsten, it’s already built into the OpenID technology — but so far, many OpenID providers have been reluctant to share the user’s email address when the user may think that they’d rather not share it (even though most sites still require the email address anyway).

      In any case, thanks for keeping up with OpenID — and I would suggest that you look into OAuth and OAuth WRAP — not from an end-user’s perspective, but from an interested party’s that is interested in all the issues that need to be addressed in order to see widespread adoption of these technologies!

      1. Regarding email, I don’t think it has much to do with users’ privacy preferences. When Yahoo! and Google became providers and advised relying parties to put their logo buttons on websites, the average user didn’t realize that OpenID was working in the background and that it was generally possible to share an email address. Apart from that both providers didn’t share that data in the beginning anyway.

        Yes, I will have a look at OAuth WRAP. Maybe I’ll understand it. I mean, I know how the basics of OAuth work, so I should be able to understand WRAP as well.

  2. I’ll give you my perspective on this. For an external site seeking sign-ups, there’s an attraction to something like FB Connect. Why? Familiarity and ubiquity. Facebook has high engagement stats, it’s become the favorite hangout for much of the world (even more so than Twitter). And with 300 million users, it’s a leading source of credentials.

    They’ve made their privacy mistakes, but fundamentally, people continue to trust Facebook. So…
    – Trust
    – Brand
    – Ubiquity

    …make it a strong choice to be the credentialing service for a site. As for the email inclusion, apparently that’s coming soon from Facebook, per their developers wiki:

    Thanks Carsten for writing this up. I do want to see how OpenID develops.


    1. Yes, Facebook’s advantages are definitely its large user base and the, admittedly, great user experience of FB Connect.Regarding sign-ups, an even better choice would be JanRain’s RPX solution ( which integrates OpenID, FB Connect, Twitter, and the familiar logo buttons of Google, MySpace, and Yahoo, which are OpenIDs anyway. A website which only aims for sign-ups would be best advised to use RPX (I don’t get paid by JanRain, no, no ;)).FB Connect’s main disadvantage is Facebook itself. It will be one big identity silo in the end. Does everyone want to be associated with FB when logging in to another website? And only data which is stored at Facebook and Facebook allows to be transferred can be shared. There are no external services involved (yet). But maybe that will be part of another post.Oh yeah, thanks for the link reg. Facebook and email. I knew I read it somewhere but didn’t remember to check the obvious source.

  3. I’ve been using JanRain’s OpenID (MyOpenID) for awhile now. When I submit a relevant content or comment on a site, I am required to accept the incoming “Phone Verification” call and then asked to click the pound # sign to complete the verification process. I’m not sure the readers of my Social Media Marketing Plus Blog would be willing to do this on each session.

    1. MyOpenID’s phone verification is an additional security feature which can be turned off. I don’t use it. It is up to OpenID providers how they authenticate users. Anyway, this feature is not part of the OpenID protocol, so you’re readers probably don’t have to do this extra step.

Comments are closed.