Panelists

• levitt (yahoo) (moderator)
• bergman (wikia)
• recordon (six apart)
• willison (independent)
• andy smith (google)
• fletcher (aol)

• openid presentation by willison
  • sso betrays the organizing principals of the web
  • urls are GUIDs
  • people are freaked out by entering a URL
  • openid 2.0... directed identity instead of entering a long url, you enter address of your provider... which isn't itself an improvement, but allows a consumer to use a button instead of a URL field
  • analogy: comparing email to openid... lots of similarities
  • email for single sign on is SSO but with a UE that sucks
  • artur: openid is more secure than email

• recordon: what is the role of IDPs vs email providers? email hasn't been focused on providing identity, they just ended up in that situation
• willison: people complain that using openid is a SPOF... but email is just as bad... openid doesn't make things any worse
• will people ever understand that they have openids/URLs? people can tell you what their "myspace" is, but they don't know what a URL is
• are there mechanisms for anonymity built in? andy: it's based on the identity provider... so yahoo will provide random strings for openids
• are there any central openid statistics? recordon: nope!
• can you trust remote sites that you're logging into not to be a phishing site?
  • willison: this is not a new problem, this is a problem that paypal has had
• the openid trust and trademark question... bergman: if we can provide best practices, we could "certify" remote sites... also, third party trustworthiness ratings for IDPs
• aol does whitelisting... fletcher: business risk... google allows you to leave a comment, that's about it... you can email aol and request to be added to the whitelist... more about managing business risk
• yahoo is not a relying party, it is an openid provider
• yahoo only supports openid 2.0 and will only support 2.0+
• does wikipedia support openid? hold up because of the use of multiple databases for each property
• the biggest relying parties? blogger, basecamp...
• why is yahoo not a relying party? if yahoo won't do it... how will we grow wider adoption?
• the organizations that benefit from openid are the small sites... it makes it easier for people to sign up for new, smaller services
• smaller sites shouldn't be an IDP... just be a consumer
• in a way, openid is a political solution... they won't outsource their user database to another country... absolute lockin is absolute monopoly... the importance is choice. the difference with passport is not so much technical, but business... you had to ask microsoft to implement passport, etc... microsoft guy says LiveID is now 30 seconds to sign up and get it on your site and the goal is single sign-on...
• what's the solution to SPOF? connecting openid to real world identity? real-world reputation?
• reclycing identifiers?
• where is SREG/AX going? SREG been around 1.5 years... 9 fields... it's really only for filling forms...
• what're the main blockers of getting folks to adopt openid?
  • technology, usability, familiarity, security
  • perhaps organizing more events to spread the word/increase familiarity
  • usability seems the biggest barrier
• fighting spam? yes! with whitelists