OpenID, a standard for an open, decentralized and domain-independent identity management, was one of the hot new topics at last year's European Identity Conference (EIC). This year, EIC will host a significant number of speakers talking about their implementations of OpenID, amongst them George Fletcher, Chief Architect for Identity Services at AOL. In a recent interview, George gave a first description of his project:
1. How many OpenID accounts has AOL issued? My understanding is that everybody with an AIM account automatically became the proud owner of a new OpenID, so there should be about 63 million already?
- a. The number is actually higher than 63 million. We have hundreds of millions of accounts. Some of them are inactive but active accounts are over 100 million.
2. How does AOL expect to earn money with OpenID?
- a. Right now any monetary gain is of an indirect nature. OpenID provides value to our existing members by allowing them to use an identity they already have at other sites across the internet. OpenID also allows other users to consume AOL services without having to have an AOL LoginID and password.
3. AOL has traditionally been a walled garden – one of many on the Web (take Facebook or most other social networks). Will OpenID change that, and how?
- a. OpenID is just one way that AOL is becoming more open. Most of our content is available on the web for free. Also, we have published many “open” APIs for developers to use to interact with AOL services. For example, we have open APIs for developers to query a user’s Buddy List (under the user’s control/consent of course).
4. The whole idea of OpenId is openness. What if major players like AOL or T-Online force everybody to choose their own special brand of “open” ID – isn’t that counter productive?
- a. Yes, that would be counter-productive. The goal of OpenID is interoperability between OpenID Providers and Relying parties. Any special “branding” reduces that goal. Innovations that provide a better user experience or reduce risk at the OP or RP should be published as extensions so that all interested entities can benefit. It should also be noted that the specification specifically allows for delegation of the OpenID Provider, allowing the user to use any URL they control as their OpenID.
5. Do accept OpenID identities within your products as a relying party?
- a. So far, we only have a couple of services that accept OpenIDs. However, this is an area that AOL is actively pursuing.
6. What are the problems that need to be solved before we get a true cross-platform version of OpenID including billing, etc.?
- a. One issue with OpenID is that it specifically (meaning “on purpose”) does not provide a trust framework. Any “trust” has to be layered on top of OpenID. This doesn’t mean that OpenID can’t be used for billing right now, it just that the relying party assumes all the risk of the transaction because the relying party can’t “trust” the identity just on the statement of the OpenID Provider (OP). Some sort of reputation system or 3rd party asserted attributes would help with this missing trust framework.
7. In understand AOL is working with a white list of controlled OpenID providers. If this a viable model in the long-term and how can we address issues such as fraud?
- a. Our white list is mostly around protecting against “rogue OpenID Providers.” To date I don’t believe we have turned away anyone who has asked to be on the white list. The real issue is risk management at the relying party. There are another ways to manage this risk but it requires back end infrastructure and coordination across products. Our goal is to remove the white list.
- b. Also, within the context of a given deployment, a white-list is perfectly acceptable. For example, if OpenID is being used within an enterprise, the enterprise specific services (relying parties) may require that all supported OpenIDs be from a known OpenID Provider.
8. Do we need “Provider” Reputation services or “fraud” detection infrastructure.
- a. Provider reputation (as well as Relying Party reputation) would significantly help with risk management. This is much more important across the de-centralized internet than within a given, controlled environment.
9. There have been complaints in the blogosphere about broken links and blank screens in conjuction with certain OpenID providers (Plaxo). Are these problems being solved and how serious are they?
- a. I don’t know specifically about Plaxo issues. I do know that we attempt to fix any problems that are reported to our team. I believe there will be larger compatibility issues between OpenID 2.0 and 1.1 than service specific implementations.
10. How “final” are the final specs for OpenID 2.0 and do you plan to support it at AOL?
- a. The OpenID 2.0 specs are final. They have been published and a number of companies have already implemented them. As I stated earlier, we do plan to support OpenID 2.0 in the future.
11. What is AOL’s position on Windows CardSpace?
- a. Cardspace, among other things, is an “Identity Agent” and identity agents are valuable for improving the user experience for consumers. We are evaluating support for both accepting iCards and supporting managed cards. However, timing is dependent on the need of our customers.
12. Some users have accused AOL of “presumption” for automatically issuing them OpenID credentials without their consent. Some already have more than enough OpenIDs with other IDPs and might chose to consolidated on other OpenID IDPs, for instance because they offer multi-protocol support. They resent AOL coming along and complicating their IDP selection process. How do you react?
- a. Well, first. They don’t have to use the OpenID so it should NOT complicate their IDP selection process. If they want to use their AOL OpenID they can, if not they don’t have too.
- b. Second, one of our goals is to allow consumers to use a 3rd party OpenID with an existing AOL account so that they could continue to use their AOL identity with AOL services but login to those services using a 3rd party OpenID.