Significant website now accepts OpenID! It just so happens to be Sourceforge, the bastion of open source software projects.

It’s about time someone big started accepting OpenID for authentication, instead of just dishing out OpenIDs and acting oh so cool about it.

The blogosphere is abuzz this morning about the great news for OpenID - Yahoo! is now supporting the single user sign-on process. Kinda.

While you can read the grand headlines at CNet, Mashable, or TechCrunch, cutting to the chase is what’s happening here.

This is a pyrrhic victory for OpenID. Yahoo! is now allowing you to use your Yahoo! ID as an OpenID, but they aren’t ACCEPTING OpenID to log in to their site. Acceptance as a relaying party is where the bottleneck is - something Yahoo! themselves mistakenly aluded to on their own OpenID page:

OpenID is an open technology standard that solves all of these problems. The OpenID technology will allow you to use your Yahoo! account to sign in to hundreds of web sites! And this list is growing every day…

Nice. There were at least 120,000,000 million OpenIDs in existence, including those served up by AOL, MyOpenID, ClaimID etc., and now there are something like 370,000,000 with the inclusion of Yahoo! IDs. And there are hundreds of websites you can use it on? I’d hardly call this “finally reaching critical mass.”

Technical reasoning

I’ve heard a number of reasons why OpenID has had such a difficult time, but the biggest has surely been technical. It’s justified (coming from experience), and then not.

Getting your website to accept OpenID can be a bit of a chore. If you’re a blogger, your primarily reliant on the work of smart developers in the open source community. They produce the plug-in for, say Wordpress, and you download and install. If you are running a platform that isn’t getting much attention, you have to pull source from the libraries and try implementing it yourself - the same goes for any website you are running not using some “preferred platform.” And there are always associated problems to deal with - even though I prodded one outstanding developer to update a plug-in so I could accept OpenID comments on this blog, I’ve got database problems which I’m too busy (aka lazy) to fix so I can.

Conversely, putting up a simple OpenID provider is not too difficult a task. You can install a copy of Wordpress MU and add the OpenID plugin. You can grab a copy of Drupal which has most of the components built into the core. Or you can just pick up some free standalone server code and spend a few more hours tweaking it yourself. You don’t yet have a critical mass of users, but you do have a functioning system.

Boiling down misaligned incentives

It seems there is little or no incentive to accept OpenID, or I’m going to have to weigh some risks - and it is difficult to execute. Meanwhile, there are plenty of reasons to hand out IDs, and I can have a server up within hours.

Bottom line

Why aren’t the megaliths tripping over themselves to integrate relaying agents? The answer is simple - data. Offering OpenID on a provider-only basis could be a boon for sites - they have all the information associated with your use of their service, and can grab tidbits on your use of other websites. It presents the perfect opportunity for someone like Yahoo! to gather “social graph” information on its users without the cost associated with building (or buying) another Facebook. If you were allowed to use your third-party (or self-managed) OpenID on their site, you’d have no incentive to maintain your Yahoo! ID and Yahoo! would potentially lose two sources of information.

What’s needed

Acceptance is still the big issue. If millions of sites allowed OpenID, the authentication process could solve a lot of problems - it isn’t happening because there are few if any incentives to accept it. There has to be a tangible benefit for those allowing OpenIDs in (and please don’t say “but you’ll get more comments” - that’s like saying you’ll get more spam). I’m now beginning to believe that OpenID is also going to need choice, in the form of millions of OpenID providers. A dozen or so significant providers controlling hundreds of millions of accounts isn’t going to cut it. Unless of course it’s renamed OligarchyID.

UPDATE: Marshall Kirkpatrick says don’t throw a party just yet. Pay attention to the points about extension of provider brands versus extension of the OpenID brand.

UPDATE 2: Information Week yawns, and a press release confirms what Marshall Kirkpatrick inferred: this is about Yahoo! ID, not OpenID.

UPDATE 3: Yahoo! could have done much better here for sure. Maybe they should break themselves up before they bring their partners down with them?

I wouldn’t have used “finally” here. Rome wasn’t built in a day.

On a side note, ye ole WP-OpenID+ plug-in bounty was closed a while back. Despite the enormous interest (less most of the interest), Will Norris completed the project himself. You can find the Wordpress plug-in here - Will has provided a link to fixed repositories, in case you are part of the “can I smoke SVN?” crowd.

Having 2,000 feed items stuffed in one’s reader when returning from even the shortest vacation has me thinking about how to put said reader on vacation as well.

• MySpace and Facebook apps suck. That’s not what they really said, but The Silicon Alley Insider did point out how little they might really be worth. I’ve got no experience with MySpace apps, and my only brush with Facebook apps was getting some notification that a friend had installed one and I should do the same. My first impression - I’m getting spammed (and others share that feeling). I would never react to such a notice again, even if I was an active Facebook user. Hence, they are worthless to me too (or maybe I’m just worthless to marketers). Also of note: based on their numbers Facebook should be worth something in the neighborhood of $850 million.
• The New York Times infers that things are getting overheated in Silicon Valley. I disagree - I think a lot more bets are being placed on a lot more companies, and I suspect those bets are generally a lot smaller than post-Bubble 1.0. There may be a lot of duplication of effort going on, but the best execution in each category is going to turn out a winner. The money is just trying to find each of those winners. Meanwhile, TechDirt had its take on the Dallas Cowboys backing out of a domain purchase, but I says its a simple matter of the rest of the world not paying much attention to the chaos.
• Commodities traders are in short supply. As a general rule, the commodities business also retains far fewer numbers than its big sister on the securities end. I think the actual registered headcount via the CFTC is less than 200K, while the NASD numbers hover around 800K. Someone throw me a bone on those numbers (and if anyone needs a Series 3/30, drop me a line).
• OpenID gets a victory in the fight against phishing, as well as some competition. I think the first part is great - now the challenge is getting anyone and everyone to embrace Information Cards. On the latter, I’m going to bet it’s a non-starter - too little, too late. Despite being widely embraced, even OpenID is having slow goings regarding consumption (both in systems and people). More power to SlashID if they can be more effective on that end, but I’m skeptical.
• After consuming this, I dropped TechMeme from my reading list. I guess I can just read each of these every morning from here on out. That, by the way, is a joke.
• Seems that debt problems extend beyond the government, those bought out, and even mortgagees. I thought much of the last year’s rally was purely cash-driven, but I guess I was wrong. Personally, I only use my margin account for short selling.

I think that covers last week.

Couldn’t have said it any better myself:

As of today Bloglines users can use their Bloglines login info to sign in to other sites that support OpenID login. This is good news, but more than a bit underwhelming at the same time. Big companies can announce all day long that they will now let you log in to other sites with their ID - it’s time for them to support OpenID login on their own site using credentials from other vendors.

Now, ask yourself why this seems so often the case.

Now if we can figure out where the user fits in.

Who, What, Why

After Facebook’s spring pronouncement that applications “get in but they don’t get out,” chatter about ubiquitous usernames and friends lists in a brown paper sack took on new meaning. Almost immediately, the talk on the web (including here) was OpenID this, social network portability that. The fight to pick vine ripe tomatoes from the walled garden was taking shape. But Google just showed up with a wrecking ball and a reaper. They’ve decided to chase the social graph (or social network…whatever). Maybe “chase” is too mild a term - according to some, they already have the components - all they are doing now is providing tools to release the information into the wild.

There was a lot of chatter over the weekend about this. I’ll highlight…

Conclusions? No.

It’s obvious there’s going to be a lot more talk about this. Anyone drawing conclusions now is drawing them prematurely. I suggest waiting (and listening) before you decide to export all your Gmail.

The title is a complex way of saying: give me the power to transfer data between sites I use, with the help of OpenID. There are other initiatives being worked on along the same lines, including OAuth.

OpenID, TAS, OAuth…FOAF, SNAP, etc. etc. Fun times.

PS: As data portability goes, the Social Network Portability Google Group may also be of interest to some.

Stefan Brands of Credentica took the time last week to attack some of the weaknesses in OpenID security. David Recordon of Verisign Six Apart responded in kind. Media critique/political statement notwithstanding, Recordon effectively pointed out that the majority of Stefan’s references were actually working with OpenID, the goal being interoperability and/or supplemental security. David then questioned why Brands/Credentica were not joining the party.

I found Mr. Brands’s arguments a bit messy, and if I was an investor in Credentica I’d be asking the same question.

UPDATE: Kim Cameron chimes in …”The main problem is simply that it misses the whole point about why OpenID is of interest.“

Just a couple of points on OpenID security - may be redundant to those who have already thought through this stuff.

And yes, I’m fishing tomorrow - rain, shine, or Class 5 wading conditions

It’s been a great week for being open…

Dare Obasanjo started things off with A Proposal for Social Network Interoperability via OpenID, but expresses skepticism as to whether business interests will ever allow it to get off the ground (h/t to Kim Cameron - and Mr. Cameron digs a bit into the business issues here). My guess is someone is going to do it whether others like it or not.

But, while OpenID can be spread ubiquitously - and under the control of many versus a few - it’s bewildering from a consumer standpoint (h/t to Simon Willison). I too think this is a major hurdle. When the first truly whizbang app hits the market, everyone is going to rave - but I say grandma still won’t be able to figure it out. In addition, there’s fact that while there may be a lot of OpenID available for serving, there’s still not a lot of consuming. More OpenID consumers (i.e. sites that accept it) will be the leading force in education and understanding of its benefits. Some are doing their part towards that end, including a bit with the Wordpress plug-in (and I’ll have more for you on that in the weeks to come), but more effort is still needed.

Next, Kevin Fox of JanRain discussed interoperability and whitelisting (including but not limited to AOL’s practice of it). Whitelisting is a necessary evil in a world where technology is so easily deployed. The cheaper it is to get up, the more people are going to use it for “alternative” means. AOL, by the way, is no stranger to exacting tolls for access to their network, but in this case I don’t think they’ll try it - there’s just not enough at AOL worth paying for right now, and it’s just too easy to switch OpenID authentication providers without giving up one’s “identity.”

Brad Fitzgerald and David Recordon wound up the week publishing their thoughts on the application of open identity systems to social networks, with a view towards portability of profiles, including friends data. Again, larger social networks (say “big business”) are probably not going to be agreeable to this, but a lot of smaller networks, including those being built on OpenID Code Bounty winner Drupal, will jump on it. Pete Cashmore agrees, and added that he and his crew will be following the efforts closely.

All that, just this week. I don’t think saying these concepts are “picking up steam” is doing them justice anymore.