Please upvote to give the standards more exposure.
Yahoo, Google and MySpace are supporting the spanking new OpenID OAuth Extension protocol. I have this on my plate at this exact moment, I am not sure how long it will take them to support this, but for now, I found Yahoo's Contacts API to be the easiest, and Facebook's Registration/SSO to be the hardest.
Are you sure you want OpenID to get more exposure? It already failed once due to hideously poor execution and terrible usability problems. Attaching oauth doesn't seem to solve any of the big problems. It just masks them behind a protocol that works decently on it's own.
The OpenID promise sounds good in a geeky, technical sense, but judging from their past work, I do not trust the OpenID group to build anything remotely viable.
OpenID hasn't failed at all -- I've been noticing more and more sites allowing sign-ins using it, and even a few (primarily for tech audiences) which are OpenID-only.
Of course, there are a few sites which claim OpenID support but implement it poorly (such as news.yc), but that's not a reflection on the protocol.
I do not consider getting a tiny subset of the tech audience using OpenID a case for it being a success. In fact, it did that years ago and has gone nowhere since.
OpenID 2, which was the first version intended to be broadly useful outside of LiveJournal, was published less than two years ago. In that time, OpenID has gained support from every major identity provider and most major consumers. Anybody who uses LiveJournal, Wordpress, StackOverflow, or thousands of other sites can use OpenID instead of a traditional login.
You're making a case that OpenId hasn't succeeded yet. that's not the same as making a case that it has failed.
Of course, success is subjective and relative. I see a little success every time I log in to stackOverflow via OpenId, or get a OpenId guest comment on LiveJournal.
Yes, I would like OpenID to get more exposure. Not just because I spent time implementing it for our site the first time around--they addressed the execution and usability problems with this new work, and I think it will be much more useful for non-technical users.
The OpenID Foundation folks did not just bolt OAuth onto the side and call it a day. One of the key new features is a protocol that allows the ability to stay on-site within a popup or other login, rather than being redirected to a third party, then back to your intended site.
I have not read the code yet to see exactly how it's different, but it seems to strengthen the attribute exchange as well for profile-type information. Most of the OpenID providers I've used are wildly divergent in how (and how many) attributes are exchangeable with the OpenID consuming site.
Do you not see these as fruitful improvements to the protocol?
I know very little about OpenID and, lacking knowledge, I've been avoiding it as a user.
I've tried reading up on it but the sites/tutorials I looked at were excessively vague, wordy and I got an impression that I don't want to use OpenID for myself. HN audience, however, seems quite favourable to the standard though, so I'm willing to accept that my initial reaction was a wrong one.
Can you recommend a good reading on the current state of OpenID, with emphasis on security please?
As a user, I typically love encountering sites that are OpenID enabled (stackoverflow, gitorious, ...) since then I can use my livejournal account to login. This way I don't have to manage yet another username/random-password pair.
For many of these sites they might as well not have you login at all and allow you to do whatever they let you do with OpenID, since after logging in they only get a unique identifier (not even an email address, am I correct?).
I see where you're getting at, but I think it's more of an issue of keeping your digital identity intact rather than fragmented over multiple accounts. I can authenticate at a single place, and that server can vouch for me on other sites ("Yeah, he's good to go. He logged in with me. It's him and not some other user."). With some sites you could get away with no login (see 4chan where everyone is anonymous), but for discussion sites that rely on reputation (stackoverflow, reddit, hackernews, etc.) that's not really ideal.
Security-wise, you have the added advantage of not having to manage multiple passwords. You could use a single password for all your sites, but then your password exposure would be too high, since a breach in any of those N websites could potentially capture that one password of yours. With OpenID, those sites wouldn't even be getting my password.
But then a breach in your OpenID account would mean access to every other site right?
However I do agree it would make it a little more secure than using one password at every site. However for smaller sites that I care less about, I generally use a special password anyways, and it seems it's really smaller, less ambitious sites are the ones that will adopt OpenID anyways. I don't think Yahoo, Google, or Facebook will start taking OpenID logins any time soon right?
The idea of OpenID is that you can use any OpenID provider you want, google or yahoo or facebook or run your own, so security generally depends on which server you choose. There are some brain-dead simple options for end-users. For example, just type your Blogger address (e.g. sep332.blogspot.com), you'll be redirected to log in to your Google account. The server just vouches for your identity.
Using an email address for your OpenID is already possible, assuming your provider supports it. I haven't seen any great rush to support email OpenIDs, though, so it could be that most email providers just don't care.
Has anyone seen a site claiming to use OpenID but actually phishing with a redirect to a similar-looking URL (e.g. typo-domains of google/yahoo/etc.) to grab your password?
I always check the URL before entering my credentials, but there's always the risk of similar looking glyphs at a different code point (is Unicode allowed in domain names yet?), or just typo-blindness.
This feels to me like OpenID finally coming of age - the OpenID+OAuth hybrid protocol means you can one-click sign in to a site and simultaneously grant it access to an OAuth protected resource such as your address book. From what I've heard it usability tests extremely well too.
I'm sorry, I still don't see the advantage of OpenID. Can anyone explain why it's any more convenient than username/password? I still haven't bothered to sign up for StackOverflow because the signup seemed far more complicated than it is for just about any other Web 2.0 site.
When I signed up for StackOverflow, I typed in "http://jrock.us/ as my OpenID, and was finished. No password, no email, no "click this link to confirm your email", etc. If SO gets hacked, they have no useful information of mine. If my OpenID provider gets hacked, I remove a few lines of HTML from my index.html page, and can use a different provider. There is only a tiny window where my accounts can be compromised. Either until I take down the redirect, or the provider itself is taken down.
(Compare this to the Perlmonks debacle, where my plaintext password is now known to the world, and I had to change the password on every website I've ever used. That is what I consider "complicated".)
I wouldn't know where to begin to set that up -- there's the complicated part. Honestly, this should all be built into the browser -- all this web-service stuff is entirely the wrong approach.
I think it is complicated in that you are put in front of so many buttons and choices, whereas before it was one way: username and password.
This is probably the main user friendliness issues with openID. It's made worse by the fact that your Google/yahoo openid is some long URL and that typing in your yahoo/gmail in an openID 1.0 box doesn't redirect you to the login page like an openid 2.0 box.
It's about my ability to have a single ID if I want one.
I feel that my online ID is andrewducker.livejournal.com - it's been the centre of my online social life since 2001, it's where I keep in contact with my distributed friends, where I post things I think about. In a very real way, it's my defining online identity.
And now, thanks to OpenID, I can carry that identity with me to other sites. If I post on Stack Overflow I'm posting as _me_ - not just as whatever user id I happened to get in the gold rush.
That matters to me. If it doesn't matter to you then that's fine. But it's important to me.
In this world, perhaps the less that's directly attributed to you the better off you are.
Your identity is also tied to livejournal. I have no such place that I would want my identity tied to. I could run my own OpenID server or some such thing but that's even more of pain in the ass.
In this world, perhaps the less that's directly attributed to you the better off you are.
Only if you're ashamed of what you say, or are stuck in a place where your views are constantly held against you. Neither of those are true of me, for which I am duly grateful.
You could use a dedicated OpenID provider, like MyOpenID. If you have a simple website or blog where you can edit meta tags in the HTML, then you can delegate. For example, I use my blog as my OpenID, but I don't want to run a server myself, so I delegate to MyOpenID. They handle the heavy lifting, security (I use a private SSL key), and I still get to control my identifier.
See I could do that, yes. But exactly how many steps, how much technology, and how many organizations are between me and the site I'm logging into. It just doesn't seem worth the effort. What's the payoff?
I have no such place that I would want my identity tied to. I could run my own OpenID server but that's even more of pain
You don't need to run your one server. Just get an openId from myopenid.com. Get several. then your ... deniable posts won't be "directly attributed" to the one that's in your real name.
You don't need to invent a brand new password for each site you sign up for, but it's more secure than reusing the same password on every site. The new OpenID+OAuth hybrid protocol described in the linked article greatly improves convenience by allowing a site you are signing in to to request access to e.g. your contact list at the same time - so two clicks and you're logged in and have granted access to further information. http://trendly.com/ is a great example of this flow in action.
It sounds like a solution in search of a problem. I don't really need security for my slashdot account or hacker news.
Now combining with OAuth is interesting, but I don't have a "contact list" anywhere. I don't really have any information that I need (or want) to share between sites. It's definitely a cool option though, so I won't bemoan it's existence. However, I am annoyed at sites that require OpenID without the standard alternative.
OpenID 1.0 was not very useful and 2.0 is supposed to allow you to sign in using gmail, yahoo, etc, but the OpenID libraries (for PHP at least) are buggy in this support.
Without OAuth before i think all you get after authenticating is their OpenID identifier, which isn't much info. The user would still have to provide common profile data like name and email.
So OpenID is really just meant to allow you to have one account to login to all your sites, rather than to make it easier to sign up for new sites.
OpenID 1.0 and OpenID 2.0 both support a thing called "simple registration" (this is before the OAuth work) which lets the site you are logging in to ask the OpenID provider for some basic profile information - email address, nickname, postal code etc - which can then be used to pre-fill the signup form on the site. That's the feature that's meant to make it easier to sign up for new sites, and it's been working for several years now.
The last time I tried implementing OpenID I remembered that this was not a consistent feature in that you cannot guarantee this information from the registrant.
You don't have to type your password as often, remember as many passwords (if you would use different ones for different sites), or keep passwords in sync (if you would use the same password at many sites).
All the sites I visit remember my password. My browser remembers my password on top of that. My browser is synced to all my other browsers, etc.
Given the StackOverflow example, it would take exactly 5 seconds to type in my usual username and unsecure password and start using the site. The whole Open ID thing seems like a hell of lot more work.
I can type those strings in my sleep, what string to do I type in login to an OpenID site? Oh, you mean I have to find that string somewhere? Probably typing in a lot more than 2 strings to sign up for it? Yeah, I thought so.
You might I'm being purposely difficult -- and maybe I am. But I'm an intelligent user, I visit hacker news, etc. Imagine rolling this out to your average web user? Good luck with that.
Why should we let "the average web user" hold everyone else back?
You might I'm being purposely difficult -- and maybe I am.
I'm not, but I agree that you are. Sometimes times change. You are probably one of the people that adds that "Stop HTML Email" ribbon to your mail signature because the first mainframe you used didn't let you send formatted email. It's not 1960 anymore.
Hold everyone back from what? Technology for technology sake? Why do all this? For security? So nobody can hack into my flickr and look at my pictures of my kittens? For convenience? I have to sign up to some completely unrelated service so I can login to your site?
The average web user isn't going to give a crap, and honestly neither do I. And I generally love technology for technology sake.
And don't get me started on how horrible HTML email is... ;)
Your Flickr account security probably matters to you a lot more than you think. Plenty of people thought the security on their Facebook accounts "didn't really matter", then 4chan got hold of a bunch and used them to totally destroy people's reputations with their real-life friends: http://thecoffeedesk.com/news/index.php/2009/08/22/4chan-hac...
You have to sign up for some completely unrelated service to receive the "validate your email" link. So OpenID is nothing new in this respect; you have always had to have an unrelated service to sign up for websites.
The point now is that every site you visit doesn't have to have your password and email.
A lot of Web 2.0 sites don't even bother validating your email anymore -- such as hackernews, reddit, etc. They have a username and password that isn't connected to anything. That works for me.
And I don't have to signup for some completely unrelated service to receive an email -- everybody already has email.
I do not use OpenID for privacy reasons. All accounts are using different names and I don't sites to know that "this person A" and "that person B" are in fact the same. It's no one's business.
If you're worried about sites conspiring behind your back to join your identities together, I take it you use a different e-mail address on every site you sign in to as well?
OpenID needs to hurry up and die so efforts will not continue to be wasted either pushing for OpenID or trying to support it. That way, work can begin in earnest on the next standard protocol that will replace it.
Yahoo, Google and MySpace are supporting the spanking new OpenID OAuth Extension protocol. I have this on my plate at this exact moment, I am not sure how long it will take them to support this, but for now, I found Yahoo's Contacts API to be the easiest, and Facebook's Registration/SSO to be the hardest.
This is what my todo list looks like:
1) Visit all these websites: http://knowem.com/
2) See which ones have authentication API
3) Implement them.
4) ???