[OpenID board] GCN (Government Computer News) covers OpenID

Chris Messina chris.messina at gmail.com
Fri Sep 25 17:23:52 UTC 2009

The article is here:


Unfortunately, it suffers from a number of inaccuracies or misleading
statements, which may warrant a simple blog post welcoming this
review, but highlighting some clarifications:

"OpenID is fundamentally a way you can use your browser to
authenticate to a Web site by using a third-party identity provider,"
said Drummond Reed, one of the founding board members of the OpenID
Foundation, which oversees OpenID.

>> Drummond was indeed a founding member of the OIDF, but this quote makes it sound like he's speaking on behalf of the OIDF board, which I don't think was his intention...

"For users, the chief appeal of OpenID is that it could provide a
single name and password combination for a wide variety of sites."

>> This kind of language concerns me — and I've recently heard feedback that the government will be able to "get your Facebook password" if you use OpenID on a government site... while the convenience of this statement is not to be ignored, it should be clarified that one's password is NEVER shared with an OpenID consumer/relying party (or the government!).

"The list of consumer Web sites that accept OpenID as credentials is
growing, even if they lean toward the geeky side: Slashdot, Facebook,
Google, Technorati, LiveJournal and Yahoo. "

>> Google, Yahoo and Technorati do not accept OpenID credentials, AFAIK. They provide them, but do not accept them.

"The OpenID Foundation says more than 27,000 sites use the protocol,
although actual use on the part of the Web populace remains an open
question: One Internet service, called WetPaint, dropped support for
OpenID, noting that of its 1 million registered users, only 200 logged
on with OpenID accounts. Other sites, such as Facebook and Google,
hide their OpenID log-on pages."

>> As of July, according to Janrain, it looks like we're closer to 50K relying parties:


And, while it's true that Wetpaint removed OpenID from their site, I
can personally attest to how AWFUL their implementation was:


Also, Google doesn't so much as hide their OpenID logon pages as they
don't support it (unless we're talking about Google Apps for your

"A Web site that uses OpenID credentials assumes only that any OpenID
provider is supplying verification that a person wishing to register
under a certain account knows the password of that account, the OpenID
Foundation’s Reed said. "

>> Once again, it would appear that Drummond is speaking on behalf of the OpenID Foundation.

Otherwise, it's a pretty good article.


More information about the board mailing list