Feel free to disagree with me, especially on security. I am not a security expert, so some would say I have no business talking about it. The reason I leave comments open, is so I can hear various opinions. You never know who you are going to learn from on any given day.

It is good to hear that everyone involved is thinking about OpenID, OAuth and the connection between the two. The whole security space is still very tech/geek, and I am trying to think about it from the user perspective to see how far we really are.

I also agree with Rob that delegation can be made easier. Delegatid.com is a great service. Though there just have to be some plugins for blogging platforms and it will be even greater.

And yes, delegation usually works only for people who run blogs and other websites themselves. Services like DandyID may help here. The DandyID profile URL can be delegated to an OpenID provider. But then, signing up for another service only for delegation is probably not a viable solution.

Carsten is right about associating multiple identifiers with a single remote account, though that can be tedious. If a site allows you to sign in with OpenID and then requires you (or gives you the option) to associate a verified email to your account, they’re already set up for allowing you to have backups for accessing your account.

I’m going to blog about the OAuth and OpenID situation. While you raise a good observation (essentially: “why can’t we all just get along?”) the issue is both more complicated and more nuanced than just merging the protocols.

On one level, the two protocols have different legal agreements associated with them; on another, they serve as better compliments than as a monolithic protocol. That isn’t to say that they won’t grow closer together over time — only that there are reasons why we have two protocols today instead of one. The Google Hybrid stuff is definitely promising though, and is probably the necessary in-between step towards getting to what you’re talking about.

Your comment makes sense, but the fact that it makes your head hurt points to the general complexity of the idea. I am thinking in terms of end users, not really the readers of this blog who are likely very technical.

I like the delegation, but there would likely need to be some sort of automation or something to make it easy for normal people.

The hard part there is finding a place to store your delegating OpenID. If you’re using delegation as a failsafe mechanism you’d want the displayed OpenID to be somewhere even more reliable than the places you’re delegating to. Once you take that step, why not just use the primary as your OpenID instead of delegating?

Man, that comment made my head hurt, I hope it makes sense on the page.

I rarely expect any sites to allow more than one identity for an account. I am sure there are some, but most of the time it seems to be a one-to-one relationship. It is an interesting idea though.

I like the delegation idea, but I think that will be beyond most people. I am thinking about the non-tech masses that use some of these sites. Most of them would have no idea how to do the delegation, even with instructions. I had not heard about the hybrid model for OpenID and OAuth. I will have to take a look.