You don’t want to type in two different userids/passwords for the same item, and no browser is ready to do such a thing, anyway. A solution would have both sites accepting a common id, and the mashup server could verify the id against both original data servers, thus the hope that OpenID (or something like it) could solve this problem in a way your alternative solutions don’t. Not that I know that OpenID can solve the problem, the point is that some kind of authentication service is necessary in order that the Internet can take this next step.

For example, as Scott Kveton points out above, your OpenID is an “index to you” on the public web. That’s a double-edged sword, but it does present an important “I need it” and “I can use it” advantage; with an OpenID consolidating your relationships with sites and providers, you now have a way to aggregate and manage your online reputation. This means that OpenID can serve as the basis for lightweight, efficient reputation and trust decisions that will gain you entry (and by the same token, possibly deny it to you, so you’re accountable — another important feature of the system) to resources quickly and easily based on the information you can supply with your ID.

As far as the trust issue goes, we have in place what we expect to see in an emerging marketplace for a technology like this. Big service providers like Yahoo! and AOL are equipping their users with OpenIDs and providing solid warrants for trusting the integrity of the logins (*as* logins) they verify. Pure play OpenID providers like JanRain (where I work) and Vidoop provide full-featured profile management for OpenID, along with security and communications “extras”. Other providers exist in more informal arrangments; you can spin up your own OpenID provider on your own laptop if you want with minimal effort.

The diversity in this space is a strength, not a weakness. If OpenID defined a military-grade biometric authentication system, or an Experian credit bureau scrub, the costs and logistical demands of the system would keep it from ever getting of the ground. Like PGP, rather than SSL, OpenID is decentralized, and looks to the marketplace for organic “circles of trust” to form naturally, rather than by ordaining “trust roots” that control the hierarchy. That makes things a bit more chaotic in the marketplace, but much healthier in the long run for trust to be managed and delivered at best cost and quality.

I log on to gmail when I open my browser. If I did that with my openid then openid sites would seem much easier to use. With openid in so few places it does seem like a pain every time I use it. And if it was built in to the browser it could just auto log me in.

In general Openid has been on full court press for a while now and is not *needed* in any one place yet. But hopefully the point where openid is easier then 20 different username/password combos is not too far off.

At the very least I feel the best result have come from openid when hard criticism come out about real problems. And while I think It’s real and valid it does mean that the problems can’t be fixed.

With MyOpenId I always sign in with a certificate and not a regular password.

That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…

I don’t think that’s a fair characterization of the concerns over this. I am really wary of any solution that could be a single point of failure with wide reaching consequences.

OpenID is like using the same logon and password everywhere, which is a very bad security practice. If your OpenID is compromised (by whatever method you want to imagine) you are pretty well screwed.

I can see OpenID being used for low-value accounts like blog comments and the like, but I don’t think it will ever become mainstream in high-value and/or financial transactions.