This week has been a busy week for OpenID. At the Microsoft Professional Developers Conference Microsoft announced that Live ID will be OpenID compliant. I am estimating that this will add about 380 million accounts to the approximately 500 million existing OpenID capable accounts courtesy of Yahoo, AOL, France Telecom and others. Google has been providing limited OpenID support but this week also announced their adoption of OpenID 2.0 support. Interestingly they are also moving to support OAuth. That is a big move.
It could be that the Google announcement is a knee jerk reaction to Microsoft's news. It seems that they are still developing some pieces of the service offering. What is interesting is that Google seems to have take a slightly different approach and some are claiming that they are breaking the OpenID standard. What they are doing is using the gmail email address as the key. This requires sites adopting OpenID to make changes. This is where the shouting is taking place. For an interesting assessment of the implications check out the Neosmart blog. They claim that Google is forking OpenID. Try to take this in your stride. Take a breath and scroll down to the comment left by David Recordon, one of the leading players in the world of OpenID. I have copied David's comments are here:
"Google is taking advantage of a feature in OpenID 2.0 known as "Directed Identity". This allows an OpenID 2.0 Relying Party to start the OpenID protocol flow using a known URL (Yahoo!'s ishttp://openid.yahoo.com/) to allow for "one click" style login dialogues. By performing discovery on this URL, using the XRDS XML format, the OpenID Provider advertises the OpenID Endpoint URL for the Relying Party to make a request against. Google is doing this correctly with the URL to perform discovery against being https://www.google.com/accounts/o8/id.
The piece that Google is currently doing differently is requiring pre-registration of each OpenID Relying Party before users can login to a given site. This does break the common deployment of OpenID on the web today, but Eric Sachs of Google has said on the OpenID mailing list (http://tinyurl.com/562mec) that this is temporary as they work to stabilize their OpenID Provider: "We just need to do the standard scaling, stability, translation quality, etc. evaluation to make sure there are no major problems. If we are lucky, that won't take much time. However it is more then likely that we will need to tweak things in our user interface to make it easier to understand, and unfortunately translating any such tweaks into 40+ languages takes awhile."
As for using email addresses as OpenIDs, this is something the OpenID community is talking about quite a bit right now; Google included."
I think it is clear, As Microsoft noted, OpenID is recognized as a maturing De Facto standard for authentication. The major Internet players are all supporting OpenID. Now it is time for enterprises to recognize the advantage of adopting a global De Facto Authentication standard. This was part of our discussion at Health 2.0 and HealthCampSf last week.
I have been pushing the idea of using OpenID and OAuth, and other elements embraced by the DataPortability initiative, across the Health Care industry. It is now time for the industry to take that leap of faith and make it happen.