Friday, August 17, 2007
Same old AOLAOL finally delivered on their promise to support OpenID for authentication when they announced (on their developer's blog) a so-called "Status Update" on Tuesday. What the announcement did mostly, though, was to re-enforce the belief that AOL hasn't changed since it's America On-Line days - it still "doesn't get" the internet, and it still believes its customers are dumber than toast.
Evidently we're supposed to believe that AOL is some huge, decentralized group of fiefdoms which only give the nod to each other. Or, as the announcement put it: "We did finish the infrastructure work on the AOL login side, required to support 3rd party OpenID users to login into AOL, but being a pretty big company, we are struggling to get our Product teams to support it." Maybe, like any good ID management project, you should have gotten executive buy-in from the beginning! That's the best way to be sure priorities are set properly.
OpenID is intended to be ubiquitous, also. Just prove you control a URL and it becomes your identifier. Doesn't matter what the URL actually is. Unless you're AOL, of course. They will only accept OpenID's from a "white list" of 10 providers. But, officially, "OpenID allows anyone who can run a web server to run an identity server. Your identity server is separate from your identity, so you are free to use any identity server that has some ability to validate your identity and you can change between them at will." There are over 100 listed at openid.net. Evidently AOL just doesn't get it.
But evidently AOL does feel it's customer base will only use an OpenID provider that gets its seal of approval by being included in the white list.
Ping Identity's Ashish Jain brought up the very real problem of scalability for white lists: "Given the distributed nature of the protocol, it doesn’t seem right for IdP/OPs and RPs to individually contact each other to maintain this list." He goes on to suggest that a reputation service would be a much better idea. It certainly deserves some further discussion.
On balance, I'd guess that AOL supporting at least some form of OpenID in at least a limited context is better than nothing, as long as it doesn't end there.
© 2003-2006 The Virtual Quill, All Rights Reserved Home