[OpenID] About Facebook, MySpace and OpenID

John Bradley john.bradley at wingaa.com
Fri Apr 3 18:12:33 UTC 2009 

Believe me almost nothing is stranger than me defending MySpace.

However I think they have done a reasonable job with there OP.

They are compliant with openID 2.0,  true some older RP libs may have  
a problem if they are not compliant.

If a openID 2.0 RP can't do a authentication at the MySpace OP it is  
broken!

The exception to that would be MS health Vault or other sites that by  
policy don't allow non SSL connections or require PAPE multi factor  
etc.   Those are policy decisions by the RP, and are not the OPs  
responsibility.

OpenID 2.0 authentications can be performed without associations,  
Associations are a performance optimization not a security feature.

If I were MySpace I would have made a SSL OP URI available rather than  
the http one.

That would have broken a larger but different set of RPs that don't  
support SSL.

The choice from an OP point of view is, use SSL and exclude all non  
SSL RPs or have a non SSL URI and prevent RPs that don't support DH  
from associating, but they can still authenticate in dumb/stateless  
mode.

You can have two endpoints and the RP gets to select the SSL version  
if it supports SSL.
That seems like a good idea,  but the RP's who have a discovery lib  
that can recognize URI priority in the XRDS and fail over properly are  
not the ones who have the problem.    This is the technically correct  
solution but probably breaks more RPs than it helps.

To have SSL be useful it needs to protect the meta-data discovery  
step.  If I can replace your XRDS/or HTML tags at the RP, I own you!    
Securing the rest of the transaction with SSL is as useful as locking  
your windows and leaving the front door open.

So if I am MySpace or any other large provider the cost of making all  
of my user profile pages SSL could run into the millions of dollars.    
I would probably think twice about it myself if I were them.

The choice MySpace made is reasonable.

No this is not hopeless.  The XRI-TC which now includes representation  
from Google, Yahoo and others is working on a trust model for signing  
XRD/S documents.   This will be part of the upcoming XRD 1.0 spec and  
may find its way into an openID >= 2.1 near you at some point in the  
future.

Yes MySpace could include Sreg or better yet AX.   Given that to my  
knowledge we have one OP that hands out an validated email address in  
AX (that is still beta, and bends the AX spec),  so I wouldn't say  
MySpace is holding things up.

We have a way to ask for an email address as an optional claim in AX,   
a RP needs a white list of OP's it trusts have verified it, or round  
trip the email if the OP is not on the validated e-mail white list,  
and they care.

What OPs need to do:
Vidoop:  Nothing works now
MyOpenID:  Get with the program and support the standard claim URI.,  
otherwise it would work now.
Google:  Stop ignoring AX requests that are not marked required.   The  
word doesn't revolve around you.
MySpace: Support AX please
AOL:  Support openID 2.0 + AX
Yahoo:  Support AX

OP's have had the specs and tools to do this for a long time now.  It  
is not like we need to invent something new.

Lets get what we have working well,  please.

Regards
John Bradley








-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/26eef9a6/attachment-0002.bin>

More information about the general mailing list