@John, I am afraid that you are right in your prediction regarding large OPs. Well meaning efforts to improve UX with “NASCAR style buttons” favoring large OPs stacks the deck against some of the fundamental aspects of OpenID that attracted me in the first place.

It makes it slightly harder for people to correlate but it doesn’t stop correlation. That was never part of the delegation use case.

To avoid correlation you need totally separate openIDs or better pairwise identifiers as Will has described.

Delegation supports some measure of OP independence if you control your URI. It also allows for a measure of OP redundancy/fault tolerance at RP’s that properly support XRDS.

I suspect delegation will become a smaller percentage of logins as the large OPs start taking more of the market. I would be happy to be wrong about that.

John B.

You mention using delegation to address your desire for multiple personas. Sure, that can certainly work… you could maintain multiple OpenIDs that each delegate to an OpenID provider, perhaps different ones. Delegation is outside the scope of this article however, since my goal was to differentiate between “directed identity” and “identifier select”. It is worth noting, however, that delegation is not possible with identifier select… perhaps a good topic for another post.

OpenID should be working now… seems the good folks at Joyent decided it would be a good idea to remove curl’s ca cert bundle all together. I had actually noticed this a few weeks ago, just forgot to fix it with the WordPress plugin. Should hopefully be okay now.

edit: well, it worked with MyOpenID… guess there’s still something wrong with Yahoo!. I’ll get it sorted out.

I expect many of the large OPs to be supporting Pairwise identifiers in the September timeframe.

Good post.

John B.