Google Removes OpenID Whitelist RequirementBy Josh Catone
A day after announcing their support for OpenID, Google has decided to back off on the requirement that relying parties first get approval from Google to accept OpenIDs originating from Gmail. Google says the reason they’re lifting the requirement is that more sites than they could handle applied for API access.
Google’s Eric Sachs explains in a blog post what this means for consumers:
That registration requirement also led to some confusion because users wanted to be able to use existing websites that accept OpenID 2.0 compliant logins by simply entering “gmail.com” (or in some cases their full E-mail address) into the login boxes on those websites. Normally what would happen after a user typed gmail.com is that the relying party website would look for a special type of file (XRDS) on the gmail.com servers that would check if Gmail run an OpenID identity provider. For yesterday’s launch, we specifically chose not to publish that special XRDS file on gmail.com because if we had published the file, users would have received an error at Google if the website they were trying to log into had not registered with us. Now that we have removed the registration requirement, we will work on pushing that XRDS file as quickly as possible. Once the XRDS file is live, end-users should be able to use the service by typing gmail.com in the OpenID field of any login box that supports OpenID 2.0, similar to how Yahoo users can type yahoo.com or their Yahoo E-mail address. (In the meantime, if you feel really geeky, you can type “https://www.google.com/accounts/o8/id” into an OpenID 2.0 compliant login box and see the directed identity workflow in action.)
Google also addressed the issue of when and if they’ll become a relying party. The reason they haven’t, says Sachs, is a technical issue. That problem, he says, is that rich-client apps would break if Google supported federated login for consumer users because the idea of a username and password is hard coded into those desktop and mobile apps. That’s exactly what already happens today, he says, for enterprise email customers that use their own identity provider and for which Google is a relying party.
Sachs says Google is working on the problem, but falls short of promising that Google will become a relying party (or talking about a timeline for that to happen).
One of our readers, Deron Meranda, provided some interesting ideas on other reasons why a large provider of OpenIDs such as Google or Yahoo! might not want to be a relying party in a comment yesterday. An excerpted version is below:
If one of their email accounts gets hacked; they may have some legal liability, or at least bad PR to content with. It’s bad enough when Yahoo! gets a lot of bad press when [US Governor Sarah] Palin’s account was cracked; imagine what would happen if a third-party OP was also in the mix. Yahoo! would still get all the bad attention, but the breach wouldn’t even be their fault or under their control.
Also, the big guys are, hopefully, much more security savy [sic] than smaller sites. They have the capacity to correctly and securely manage logins, encrypt passwords, deal with password recovery, protecting against bot accounts, and so on. Also they can tend to be a little more protective over user’s privacy (or at least have more money and layers); sure it’s not perfect, but Google is going to resist pretty hard when some company says it needs the name of the user for an account; without some sort of legal warrant. I’m not sure all the smaller OPs out there are as “secure” or trustworthy, so the big players should be concerned that this could jeopardize it’s user’s privacy when it outsources authentication to another party.
This is not to say that we shouldn’t pressure them to become RPs as well, but we should appreciate that there are some special circumstances for them that need some careful thought. I think some of that is just a matter of time, allowing OpenID to mature more.
Also, unless you are one of the few big players (Google, Yahoo!), then you should be an RP. The arguments for being an OP only is not nearly as defensible.
In other words: it’s politics.
Whatever the reason, I’ll still stand by my assertion that OpenID won’t work, and won’t be an easy sell for consumers, until they can truly trust that their ID will work as a login everywhere, regardless of who their provider is. The attempts by Yahoo! and Google to obfuscate the OpenID brand by encouraging developers to add “Sign in with Yahoo!/Google” buttons are also not helpful. Hopefully, though, the big three really do want to become relying parties, rather than control a branded universal identity experience. This is one thing I would love to be wrong about.