This is what I posted over at Web Worker Daily in response to a great post by Mike Gunderloy, “OpenID: A Contrarian View“.

I have to confess that as closely as I follow and often espouse the value of OpenID, I’m a complete hypocrite as I don’t use it day-to-day. I like OpenID more as a demonstration of what we need than an actual solution to that need. I play with some of the IPs offerings waiting to see if someone is going to offer a secure IP solution with additional security services of real value.That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…