Comments on: The Single Sign-On War Will Ruin OpenID

By: Joseph Engo

Joseph Engo — Thu, 30 Oct 2008 21:48:35 +0000

I am a big supporter of OpenID, I use it in all of my projects. However, what Google is doing is NOT supporting OpenID. They are taking an open specification and destroying it with their own vision. Sorry, it doesn’t work that way. Either you want to support OpenID or you don’t.

If Google or MSN want to create their own system, go for it. But claiming its OpenID is bullshit.

Yahoo is pulling the same crap. Requesting developers put a “sign in with Yahoo” logo is retarded and defeats the point.

By: AlexW

AlexW — Thu, 30 Oct 2008 20:55:42 +0000

It is up the author to filter their own work, they shouldn’t be filtering their feedback.

Because it’s everyone’s god given right to spam and troll! You’ll get my submit button when you you pry it from my cold dead fingers.

By: Will Norris

Will Norris — Thu, 30 Oct 2008 19:18:31 +0000

I would highly recommend everyone watch the latest episode of TheSocialWeb.tv, in which Eric Sachs of Google talks about their OpenID. Google is not opposed to being a consumer of externally authenticated users (in fact, they already DO with Google Apps)… there are just much more difficult problems when the service provider doesn’t have a way to directly authenticate the user.

http://www.thesocialweb.tv/blog/2008/10/episode-16-open.html

By: Stop Tracking me

Stop Tracking me — Thu, 30 Oct 2008 17:17:35 +0000

Who cares, you shouldn’t require any authentication for a user to post. I shouldn’t have to provide you with any details in order for me to communicate and point out why your post is:
* dumb
* wrong
* not worth posting
* a silly idea

etc. It is up the author to filter their own work, they shouldn’t be filtering their feedback.

By: Deron Meranda

Deron Meranda — Thu, 30 Oct 2008 16:52:42 +0000

Just to present the other side. There are some reasonable arguments for why the big players should be cautious in being RPs too.

It may defeat some of their anti-spammer mechanisms surrounding the prevention of bulk or automated account creation. This can probably be solved with OpenID, but it does require some non-trivial attention.

Most people only have one account at one of the big players; sure technical people may have multiple accounts at Yahoo!, Google, etc…, but I think that is pretty rare. So for the people who only use one email account, they just won’t see the problem of still having to remember multiple passwords.

If one of their email accounts gets hacked; they may have some legal liability, or at least bad PR to content with. It’s bad enough when Yahoo! gets a lot of bad press when Palin’s account was cracked; imagine what would happen if a third-party OP was also in the mix. Yahoo! would still get all the bad attention, but the breach wouldn’t even be their fault or under their control.

Also, the big guys are, hopefully, much more security savy than smaller sites. They have the capacity to correctly and securely manage logins, encrypt passwords, deal with password recovery, protecting against bot accounts, and so on. Also they can tend to be a little more protective over user’s privacy (or at least have more money and layers); sure it’s not perfect, but Google is going to resist pretty hard when some company says it needs the name of the user for an account; without some sort of legal warrant. I’m not sure all the smaller OPs out there are as “secure” or trustworthy, so the big players should be concerned that this could jeopardize it’s user’s privacy when it outsources authentication to another party.

This is not to say that we shouldn’t pressure them to become RPs as well, but we should appreciate that there are some special circumstances for them that need some careful thought. I think some of that is just a matter of time, allowing OpenID to mature more.

Also, unless you are one of the few big players (Google, Yahoo!), then you should be an RP. The arguments for being an OP only is not nearly as defensible.

Deron Meranda

By: Anonymous

Anonymous — Thu, 30 Oct 2008 15:12:17 +0000

Otherwise if they are going to have their own then all pre-existing yahoo, or msn accounts should use the MSN or Yahoo provider but new logins should be accepted from anywhere.

By: futbalo.com

futbalo.com — Thu, 30 Oct 2008 10:26:34 +0000

They don’t want to implement fully the concept of OpenID cause they are big fishes who still want to be the center in a decentralized net. However it doesn’t mean the concept of OpenID is screwed, let’s see how things evolve when that technology becomes mainstream.

By: Stormrider

Stormrider — Thu, 30 Oct 2008 10:21:51 +0000

The trouble is, if one of them says they will accept sign ins from other places, they won’t get any signups themselves because people could just use other providers instead of theirs.

They all need to agree to accept others at once. It isn’t going to happen on its own.

By: Twylite

Twylite — Thu, 30 Oct 2008 08:46:24 +0000

This is great news! OpenID will be fragmented and eventually die, leaving the market open for a secure standard that also has privacy guarding features.

By: Wardrop

Wardrop — Thu, 30 Oct 2008 04:39:49 +0000

It’s just like the browser wars, everyone thinks that their own standards (for whatever reason) are better than the official W3C recommendations. Why is everything in life so frustrating, browsers, OpenID… what next, is someone going to bring out a cereal where you have to pour the cereal over the milk?