You know what's not good for adoption? Having to go to 20 different developer portals. Trying to figure out how to create an OAuth application in 20 different ways. Verifying your domain in 20 different ways. Agreeing to 20 different terms of service.
I think the last could be addressed by giving both parties a standardized way of automatically exchanging ToS points for agree/reject testing.
I know that the OpenID Connect proposal mentions an association step, but if all the major providers wind up requiring preregistration, it is a moot point. My gut is that using OAuth as the base will be very good for a few players, and bad for identity on the whole.
This sounds about right to me. Giving them the power to break internet identity at large by suddenly shutting everyone else out may seem like a good short-term plan, but it's far too risky to assume that their motivations will not change in the future. OpenID needs to be a protocol that is *not* vulnerable to being shut down at any time by the collaboration of several "major players".
-Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
