I’ve worked on related standards and I can identify with much of Eran’s frustration. Eran’s a smart, dedicated, passionate person who has worked very hard to make OAuth work for everyone - not just those looking to profit from it. And OAuth is currently the best open standard option for securing REST-based web services today. I hope that when he thinks about OAuth, he thinks primarily about the huge contribution he has made, and not with regret. The standardization process ultimately brings a lot of competing interests to the table - often from vendors. Vendors are increasingly focused on identity as it facilitates the ‘de-perimeterization’ trend in the approaches taken to securing networks. In the identity standards process these different interests are often addressed by creating different ‘profiles’ within the standard – to address specific use cases and concerns like the ones mentioned by him and in some posts here. Once the standard is ratified (and often before) everyone goes off and creates implementations of those profiles – but usually not all of them – to suit their needs. That makes the products more complex to deploy and to do so securely – a lament that Eran expresses. Ultimately the market will decide which profiles were the most important – based on their adoption. I believe that much of Eran’s vision has been and will continue to be realized as adoption increases and OAuth profiles mature.

In the near term, reduced sign-on is a more realistic expectation. Standards like SAML and OpenID have emerged to enable sites to act as “Identity Providers” or “IDPs” to assert your identity to other websites that have adopted those standards (as evidenced by the login form here on /.). For the reasons a lot of people mention in earlier responses, there are good reasons for us each to have multiple IDPs – not the least of which being privacy. Many enterprises have been trying to ‘crack the nut’ of figuring out a business model for providing an IDP as a service – Passport being an early example. Platforms like Facebook and Google+ seem well positioned to be your IDP for SSO into sites like Pinterest and /. today. However, in many work scenarios - for example where you're sharing docs on Google or using Salesforce, your employer will need to be your IDP in order to enforce security capabilities like identity proofing, access control, and strong authentication. And so providing a single sign-on across all of them is not something that is realistic in the near term - and probably not desirable from a privacy perspective in any case. Best we can do is choose the right IDPs for specific online interactions. As the “IDP market” emerges we as individuals need push our IDPs – both work and social - to give us the appropriate level of control over how our personal information is shared. We will need to learn to leverage these IDPs to manage and wield what are ultimately different online personae on our behalf. If we don’t seize that control, our personal information will be shared without our consent.