I haven't tracked closely, but DNSSEC is still not widely deployed, right?

I mean, I think that's not true? dnssec-analyzer.verisignlabs…

Somewhere around 60% of the users I support use gmail, so any approach is going to need to be supported by Google. Their OAuth implementation is pretty seamless these days for sign-in.

My goal is to enable secure, simple federated identity. Authentication is a core bit of functionality in that regard. Obviously supporting non-corporate identities is critical, but forcing everyone to be 'indie' is a mistake, I think.

nobody said "force". my goal is to *enable* indie identities, something that is pretty much completely glossed over by the current OIDC ecosystem.

I don't agree that it's completely glossed over - there is a registration protocol, it's just not widely implemented. The intent could be better stated, for sure, but I think IA's emphasis is too far the other way. My ideal is something in-between IndieAuth and OIDC, I think! 😊