"For these organizations," Google Security Product Manager, Eric Sachs, wrote on the public OpenID Board mailing list this morning, "Google Apps can now become an identity and data hub for multiple SaaS providers." Sachs appeared to believe his email was not being posted to a public board; he asked that it not be circulated so that some unusual technical work could be completed and political support shored up in the face of likely community and press cynicism. There's good reason for that - it may not be the good news it seems to be.
But First, A Word from OpenID's New Sponsor
OpenID is important not just because it makes logging in to sites around the web easy, with one username and a secure password, but because it's a way for people or organizations to maintain control over their own identities and data. There are no policy changes you don't approve of when you're in control.
Google's Sachs explained in his email that in order to pull this all off, OpenID relying parties will need to be redirected from the domain provided at user login over to Google's OpenID service. In order for this redirect to happen, all relying parties will need to start looking for a new OpenID extension that Google has developed and implemented in conjunction with one relying party technology, JanRain's RPX.
"There is the potential for some community members (or press) to assume (or at least imply in articles) some evil intent by Google to co-opt OpenID with these extensions," Sachs wrote today. "It would be nice to have a blog post on the formal OpenID blog that was supportive of our approach, so I wanted to see if the board members are comfortable with that."
Watching to see if the nonprofit OpenID Foundation will speak out in support of Google's forcing the rest of the industry's hand with new code extensions that are required to recognize the users of one million Google Apps customer accounts will now be a spectator sport.
Getting the Job Done
On the other hand, if one were to put a group of well-intentioned people in a room and ask them to solve the sticky problem of asking millions of organizations to adopt OpenID provider infrastructure - that might not ever happen. Enter Google's largess and the "proposal" that federated identity for all these companies and schools can be outsourced to a centralized player, Google, and OpenID might get a big boost in adoption. Companies and schools using Google Apps will now only need to flip a switch in their Google Apps admin controls to turn on OpenID support, and Google will do all the heavy lifting.
Presuming that all the sites that let you log in with OpenID decide to play nice and look for Google's redirect (to Google) then the idea of logging in to sites around the web with your favorite, secure account credentials (My Job, Powered By Google) could become far more common.
It might defeat the purpose of putting people in control over their own identities through distributed identity providers, because so many "OpenID" users would be coming back to Google, but the OpenID brand would no doubt benefit in the short term at least. And Google can do no evil, right?
In other words, this move by Google could kill the spirit of OpenID by drowning the letter of OpenID with support. We think we're logging in to websites with our work or school ID, and OpenID lovers think we're logging in with OpenID, but we're actually logging in with a Google-controlled ID. All the heavy lifting would be done, Google would take care of the data storage and probably offer some neat value-added features. All the companies involved would have to do is hand online identity provisioning over to the company that they have already purchased email, calendaring and document sharing from. ("They who can give up essential liberty to obtain a little temporary safety," Ben Franklin once wrote, "deserve neither liberty nor safety.")
At least it's not Facebook!
So goes the wrestling of titans, on the very playing field created by champions of the free and independent little guy.