The apples and oranges of Shibboleth and OpenID
The JISC-funded Review of OpenID was recently made available, announced in a blog post by James Farnhill and resulting in quite a long thread of discussion on the email@example.com mailing list.
The report is not exactly my cup of tea, though I can't find much fault with the individual words (I'll leave my detailed comments on James' blog post), more with the overall tone. The trouble is that it inevitably ends up comparing OpenID against the Shibboleth / UK Federation which is not comparing like with like - one is a bare technology, the other a technology delivered in the context of a set of national policies.
As I suggested (implicitly) in the follow-up discussion, a fairer comparison would be to consider what an OpenID-based UK Federation might look like - white-listing trusted (institutional) OpenID Providers and mandating the use of SSL as appropriate to build a reasonable(?) trust infrastructure on top of OpenID rather than Shibboleth.
Those who see OpenID as an all-or-nothing 'open' solution responded that such an approach wouldn't work. Or as the report puts it:
... because "the OpenID technology is not proprietary and is completely free" then users, OPs and SPs will expect that all OpenID providers are equal and can be used interchangeably.
I couldn't disagree more. That's like suggesting that all email providers are seen as equal. It seems almost ineviatble to me that some OPs will emerge as being more trusted than others, either explicitly thru the creation of federation-like initiatives or as they naturally emerge out of the Internet soup.
In his response to the blog post, Brian Kissel notes that:
the OpenID Foundation would welcome participation, input, and recommendations from JISC on how OpenID could evolve to meet your needs.
This is helpful. For me, I'd like to see more discussion around trust issues and how we might sensibly begin to layer trust networks around the use of OpenID in areas such as higher education.
Final comment... I love (not!) the apparent quote from the survey of attitudes to OpenID by computing service staff:
why would the University put in effort to make it easier for students to access other people's [non-academic] resources?
Good grief... with attitudes like that it's hardly surprising that users are moving to external service providers :-(