This year is starting off with a roll of thunder for OpenID with coverage today from TechCrunch, Ars Technica, Wired and PC World and OpenID positioned as a foundational technology of the DataPortability Workgroup and at the upcoming Social Graph Foo Camp.

With the finalization late last year of the OpenID 2.0 specs (included Attribute Exchange); the OpenID Foundation approval of the IPR policy and process and execution of non-assertion agreements by all the contributors; OpenID 2.0 seems ready for prime time. But is it?

The  Tsyrklevich brothers pointed out a number of security issues (pdf) last summer at Black Hat. While the malicious RP issue (Step 4 in the paper)  is potentially addressed by PAPE draft — ideally it would be addressed in the specification rather then requiring a patch — the other issues have not been addressed.

At the last IIW I hosted a session with Josh Hoyt about what’s next for OpenID (notes here). Besides the security issues mentioned above, here are some other weaknesses of OpenID 2.0:

• Identifier control: once you start using the identifier, you need to keep control over it forever. Forever is a long time.
• Performance: the redirects and discovery fetches can be slow.
• Geeky interface: typing in an OpenID is not very friendly for the average web user.
• Identifier Management: how does the user remember and know their OpenIDs.

So does this mean OpenID is not ready for prime time? I don’t think it is ready to be the all-singing, all-dancing Single Sign On solution for the Internet, but OpenIDs are a globally unique identifier and can be very useful in the Social Graph and Data Portability problem spaces. It is also useful for writing comments, essentially tagging your content with your identifier. Similar to other internet technologies, OpenID will get used in ways that it was not intended, and it will evolve to address issues. Given how the year is starting, it looks like that will evolution will have a fast pace this year.