When Sun issued OpenID to its employees, it stated that this will help those companies that give employee discount can use Sun issued OpenID as a means to verify employment status. Surely those companies will decide which OPs to accept. We can force them to accept all OpenIDs. If we insist to RPs that it is all or nothing, then I assure you that many RPs will walk away. As it is, RPs are sharing some strategic info with OPs – OPs are in a position to size the traffic to the site.

It is not clear why Facebook is using OpenID. But I can suggest one use. Socnets are required by AGs to protect minors. A socnet targeted for school children can comply by requiring OpenIDs issued by schools and no one else. Will we prohibit such a use of OpenID? Is this RP misusing it?

Let me conclude by quoting an exchange I had with Brian Kissel, Chairman of OpenID Foundation (in OpenID group in LinkedIN):
me: I am a strong supporter of OpenID. In a web application that I have developed, we accept only OpenID. But I take issue with a common position advocated by many in the OpenID community – one of the fundamental benefits of OpenID is SSO and that it simplifies registration procedure. I want people to realize that RPs can and will decide which OpenIDs they will accpet and that for legal or other reasons RP may ask for certain information even if OPs can provide them.

I think we as a community should impress on OPs that they should add material value to the identification. Currently almost all of the OPs are “permissive” with no membership criteria. On the other hand, consider schools to be OPs. Then Myspace or Facebook can use OpenID to enforce age related policies. Attorneys General can force them to use school issued OpenIDs.

Instead of Demand OpenID list (which is forcing the hands of RPs), we should be demanding OPs to add verification of some aspect of OpenID holders that will be difficult or expensive for RPs to do. This verification could be the revenue model as well.

Brian: Absolutely, each RP has complete control over which OPs they choose to accept, even as end users get to choose which OPs they want to use. Your input on what features and services you want from an OP will be helpful contribution to this forum.

Because that mentality defeats the whole purpose of OpenID. It wasn’t created to merely be an authentication protocol…those are a dime a dozen. It’s strengths came from the idea that it could be used as a single digital identity which benefits the users, it would have low cost of operation (simplified implementation, security, authentication) which benefits companies/site owners, and a single company could not cause its downfall by misusing it. If everyone acted as the major companies have so far, it doesn’t work as a single identity because each site still requires you to create a login for their site. What’s the point in having all identity providers and no identity consumers?

And second, Facebook has always been very keen on keeping their “walled garden” of user information (see Facebook Apps, Beacon, etc.), so what makes them so eager to adopt OpenID, especially when it directly competes with their proprietary ID service trying to be universally adopted, Facebook Connect? I don’t get their motivation for allowing OpenID logins, but it isn’t very believable that they’re doing it simply as a gesture of their openness. And if it’s not going to drive much new traffic as suggested in this article, why bother?