[OpenID] Live Icons for visual recognition of IDP logos

Jonathan Coffman jonathan.coffman at gmail.com
Thu Apr 2 02:35:23 UTC 2009

It¹s definitely a situation to avoid unless you want to end up like those
crazy ³share² buttons (think ShareThis, AddtoAny, etc). They¹ve found
themselves trying to please too many different people by constantly adding
social networks and bookmarking sites to their buttons that they¹ve had to
resort to things like scrolling windows, and (I think this is actually
rather smart) remembering what providers individual users use most often.

I think it¹s hard to imagine an OpenID logo based log-in box that wasn¹t
composed of either OPs who have business arrangements with the RP (gasp!)
or, and perhaps more realistically, the OPs with the largest mutual user
bases with the RP.


On 4/1/09 9:15 PM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:

> Honestly, Peter, the belly-up OP is what scares me the most about OpenID.  And
> I really like OpenID.  As large and well-written as myopenid.com
> <http://myopenid.com>  seems to be, I'd never recommend my less-tech-savvy
> family use it over yahoo.com <http://yahoo.com>  or google.com
> <http://google.com>  as an OP because I'm not convinced myopenid.com
> <http://myopenid.com>  will be around for 25 years.  That's why I use my
> "vanity" url.  It's not for vanity at all... it's for my own identity
> protection.  But the vanity url has to be at my own domain name so that no
> belly-up company can take down my identity. That obviously isn't a solution
> that will work for my friends and family.
> One other problem with listing lots of popular OPs at an RP, and that is that
> a user will learn to rely on his OP being shown, and even if the OP doesn't go
> belly-up, if it disappears from an RP's list of logos, many users will not
> know how to login any more and assume they're locked out.  Bad scenario.
> Personally, I'm uncomfortable with the idea that I'm logging in with OpenID in
> order to avoid a username/password and account recovery process at an RP, and
> yet that RP offers an email recovery for that account.  That feels insecure to
> me.  I want to separate my all-unlocking email address from all my other web
> accounts. If someone compromises my email address, I'd really rather they not
> gain access to all my web accounts at the same time.  So I don't want RPs to
> offer an account recovery option if I use OpenID to log in.  Let account
> recovery be an OP issue.
> Now if the OP goes belly-up, or locks the user out of their account for any
> random reason, what recourse does the user have?  Well, in the real world we
> have government that can help us prove our identity to various parties if we
> lose our driver's license or something.  Perhaps we need a trusted entity like
> that for the Internet. (I can already hear many of you screaming).
> An alternative to relying on an OP or running your own vanity URL is hosting
> your own identity on your own box.  Too complicated for the average joe?  Not
> so much if you use InfoCard.  InfoCard elegantly puts complete identity
> control in the user's hands, and without any risk of ever having it revoked by
> someone else.  There are a couple of problems with InfoCard as it stands today
> though that I see: infocards are not easily transportable to other computers
> (yet), and if they are lost without a backup, they're gone forever and so is
> your access to Internet sites.  
> Since I don't have the perfect solution for either side, DotNetOpenAuth's
> openid login popup will probably feature a couple of major OPs, an OpenID
> logo, and an InfoCard logo, allowing the user to pick what they're most
> comfortable with.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - Voltaire
> On Wed, Apr 1, 2009 at 5:50 PM, Peter Williams <pwilliams at rapattoni.com>
> wrote:
>> Think about the message its sending.
>> Who would want to put their family photos on a site they may not be able to
>> access tomorrow (when some OP goes belly-up)?
>> Surely an RP needs to assure its users that there exists the means to replace
>> the OP? The dotcom bust taught us that lots of service  companies do infact
>> go belly-up, in the usual boom/bust cycle.
>> Would be strange if the UCI mission of openid facilitates data and identity
>> portability, but then the failure engineering of the overall service still
>> means you can STILL easily lose access.
>> Presumably, the RP might retain  the users email address(es) from the sreg
>> handoff, so it can send access-recovery URLs  granting the users access
>> WITHOUT using any of registered OP(s) for the account.
>> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>> Behalf Of Andrew Arnott
>> Sent: Wednesday, April 01, 2009 5:39 PM
>> To: Allen Tom
>> Cc: general
>> Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos
>> [Peter Williams]
>> whether they trust them to just not go belly-up and thereby locking out their
>> users from their accounts at that RP, some trust should be implied by an RP
>> listing OP logos.  
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090401/5685f72d/attachment-0002.htm>

More information about the general mailing list