OpenID Issues List

Yesterday at the OpenID Summit a number of companies presented on the issues they have experienced with evaluating and/or deploying OpenID. Here is my summarized list in no particular order.

• Value Proposition is not always clear
• Authentication isn't enough, need identity attributes (AuthN + AuthZ)
  
• The more marketable attributes the better
• Need a standard "profile" object with "trusted/verified" attributes
• Data sharing when the user is not present
• No clear way to push back activity into the user's activity stream
  
• Usability
• User's don't know their OpenID, use email addresses instead
• Depending on the site requirements, the user may still have a registration to go through (e.g. site must collect age/gender/zip)
• First time experience is different at each site
• Customer care is difficult because the user likely doesn't know their OpenID (OpenID 2.0 IDs are often machine generated)
  
• User confusion over the logout experience
• Local logout just from the site
• Global logout from all sites
  
• User confusion over the login experience
  
• Every pop-up UI is different
• Should the user "link" their OpenID to their existing account at the RP?
• Should the user create a new account at the RP based on their OpenID?
• OpenID and OAuth both have "login events" but they mean different things
  
• Better non-browser support
• Devices (e.g. netflix, xbox, zune, etc)
• Mobile devices (lose 70% of population in Japan if OpenID doesn't support mobile)
• Rich client applications
  
• Trust / Certification
• How does the RP know it can trust the OP to security authenticate the user?
• How does the OP know it can trust the RP with the identity attributes shared?
• Security and Levels of Assurance
• Need an independent security review by an expert
• Cannot meet higher levels of assurance than LoA1 without protocol changes
• Need an attribute profile to meet LoA2 requirements
  
• E-Commerce
• Who is liable/responsible if the user can't log in to their paid service because their OP is down?
• How does OpenID make the check-out process better? more streamlined?
• More e-commerce related attributes (e.g. billing/shipping address)
• Portable reputation
• User's want privacy to control what attributes/info is shared with the merchants
  
• Interoperability
• Need better / automated testing tools for core libraries and services
• OPs have to tweak their implementation for specific RPs
• RPs have to tweak their implementation for specific OPs
• URL length can cause problems for some implementations
• No way to move a 1.1 HTTP OpenID to a secure HTTPS one
• Inconsistent implementations of Attribute Exchange
  
• Ease of Adoption
• Not easy to set up based on existing libraries
• No simple JS library that enables OpenID without server development
• OpenID + OAuth hybrid has too many secrets
• Privacy
• Must protect the user's rights
  
• Needs to be under the user's control
• Activities need to be un-correlatable (if that's what the user wishes)
• Can't share email if maintaining the no correlation privacy constraint (Contact service?)
  
• User must have access to their settings and activities at each site
  

I'm sure I've missed some so please feel free to add to the list.