Nothing legitimizes a standard like usage. What makes Microsoft Window’s a standard is those billions of transistors all over the planet are chewing way on it’s code. What makes Google search a standard is that all those of searches are taking place.
In that sense of legitimate OpenID continues to struggle. While usage remains the final arbiter there are other ways to achieve a bit-o-legitimacy. Getting the blessing of the king is always good. You can get a law passed; that worked for making curb cuts standard but it didn’t work for lowering the speed limit to 55mph. You can get a large standards body to promulgate your standard. That one is surprisingly ineffective. You can solicit players with large market share to give you the nod.
Each of those three (civil authorities, professionals authorities, market leaders) is legitimate because some legitimate process gave them their king like nature. Their blessings are market signals. Other players in the market use them to manage the risks of adoption. Interpretation of these signals is up for negotiation. Consider a few of the big standards bodies – for example ANSI, EMCA IEEE, IETF, OASIS, W3, WS – each one has very different governance model. That model affects the meaning of their blessing.
In the standards battle over internet indentity the Project Liberty folks ended up tainted by the way their governance, and hence their legitimacy, was weighted toward the account holders rather than the users. I was involved in Liberty, and the governance was weighted toward account holders; the design emphasis wasn’t but that’s not my point today.
Microsoft and AOL’s recent signals of support for OpenID signal one thing. That OpenID is good for them. That does not mean good for you. OpenID is very good for very large existing account holders, because those players are the most likely to hand out the vile globally unique identifiers around which the OpenID design based.
I tend to think that OpenID is going to capture a very large market share. These signals of support reinforce that. Not so much because they actually signal a change in that most important source of legitimacy, i.e. usage, but because they illustrate that at least one side (i.e. account holding institution) are starting to see that the design is good for them. The other side (i.e. account holders) remain on the sidelines.
The question of what makes this standard’s bandwagon legitimate should remain open for negotiation. The OpenID bandwagon looks to me like it’s in great shape. That users haven’t climbed on board remains a challenge, but not an intractable one. I continue to see this bandwagon as pretty illegitimate from a governance point of view. Claiming to speak for users is damn sight easier to say than do.