TechCrunch wrote an article asking if the Big Boys were exploiting OpenID. The crux of the argument was that they are providing OpenIDs, but are not accepting them. In other words, they are an OpenID Provider, but not a Relying Party.  John McCrea echos what Michael said, and Jason Kolb and David Recordon also wrote posts — and I agree that it is great that the Big Boys have joined in — but I think it is unfair of Michael and John to expect them to be Relying Parties.

Googles Blogger does take OpenIDs for comments, which as I have stated in the past, is a good use of OpendID. But OpenID still has a ways to go before you can trust it for secure sign on. I would not want to use it for accessing my Yahoo or gmail accounts.

Having said that, there are two things to hold the Big Boys feet to the fire:

1. Support Attribute Exchange: Single sign on is nice, but browsers will remember your password for you. (Sxipper does it really well of course!) Filling in forms and keeping your information up to date on servers would be really useful. This goes against the grain of the Big Boys as it makes it easier for users to register on sites other then their own — but it is a real benefit to the user and lowers the registration friction — and it would show that they really want to help the user as opposed to just deepening the silo.
2. Advance the OpenID Technology: There are valid reasons for not being an RP for sensitive sites, but we need to advance the technology to overcome them. The Big Boys can direct some of their bright talent to working with the community in general to overcome these issues.

Today Microsoft, Yahoo,  IBM, VeriSign, and Google have joined the OpenID Foundation as corporate board members. This big news for OpenID. With Yahoo and Google becoming OpenID Providers earlier this year, this is really shaping up to be the year of OpenID.

First coverage I see of the announcement is at CNN Money. That’s funny.

Updated 6:57AM

Mike Jones from Microsoft blogged here about. Interesting to see the press release up at Microsoft’s PressPass with a quote from Google.

This year is starting off with a roll of thunder for OpenID with coverage today from TechCrunch, Ars Technica, Wired and PC World and OpenID positioned as a foundational technology of the DataPortability Workgroup and at the upcoming Social Graph Foo Camp.

With the finalization late last year of the OpenID 2.0 specs (included Attribute Exchange); the OpenID Foundation approval of the IPR policy and process and execution of non-assertion agreements by all the contributors; OpenID 2.0 seems ready for prime time. But is it?

The  Tsyrklevich brothers pointed out a number of security issues (pdf) last summer at Black Hat. While the malicious RP issue (Step 4 in the paper)  is potentially addressed by PAPE draft — ideally it would be addressed in the specification rather then requiring a patch — the other issues have not been addressed.

At the last IIW I hosted a session with Josh Hoyt about what’s next for OpenID (notes here). Besides the security issues mentioned above, here are some other weaknesses of OpenID 2.0:

• Identifier control: once you start using the identifier, you need to keep control over it forever. Forever is a long time.
• Performance: the redirects and discovery fetches can be slow.
• Geeky interface: typing in an OpenID is not very friendly for the average web user.
• Identifier Management: how does the user remember and know their OpenIDs.

So does this mean OpenID is not ready for prime time? I don’t think it is ready to be the all-singing, all-dancing Single Sign On solution for the Internet, but OpenIDs are a globally unique identifier and can be very useful in the Social Graph and Data Portability problem spaces. It is also useful for writing comments, essentially tagging your content with your identifier. Similar to other internet technologies, OpenID will get used in ways that it was not intended, and it will evolve to address issues. Given how the year is starting, it looks like that will evolution will have a fast pace this year.