6 June 2008 - 11:38Make OpenID go away.

There seems to be broad consensus among both OpenID supporters and detractors: OpenID is confusing to use and that for it to have any hope of success OpenID needs to find ways to fade to the background.

Agreed. Here’s how I would do it: put it in the browser.

Click ‘Allow’ and an OpenID login session occurs in the background. The browser would presumably ask the user to log in to their OpenID Provider at the beginning of their browsing session.

I’ve come up with a small list of things that would need to change in order for this to be technically viable. There are probably more. Whether or not this is a good solution is open for debate and my intention is to provoke some discussion.

Here are a few things a hypothetical implementor would need to do:

1) The browser would need to know your OpenID url and who your identity provider is. Extensions like Verisign’s OpenID SeatBelt do this very well already.

2) Relying Parties need to broadcast the fact that they are Relying Parties, probably through an XRDS document. Likewise, the browser would need to auto-discover OpenID Relying Parties’ XRDS documents.

3) OpenID Providers need to provide a programmatic way for the browser to add domains to their users’ trust pools, though not necessarily. Not doing so means additional steps when a user logs in to a domain for the first time and the whole point is to get rid of those steps.

I have an additional theory: the infrastructure required to make it technically feasible to put OpenID in the browser is the same infrastructure that would make it feasible for single sign on to be easily used on a mobile device.

Thoughts?