[OpenID] About Facebook, MySpace and OpenID
Breno de Medeiros
breno at google.com
Fri Apr 3 18:31:41 UTC 2009
On Fri, Apr 3, 2009 at 11:12 AM, John Bradley <john.bradley at wingaa.com>wrote:
> Believe me almost nothing is stranger than me defending MySpace.
> However I think they have done a reasonable job with there OP.
> They are compliant with openID 2.0, true some older RP libs may have a
> problem if they are not compliant.
> If a openID 2.0 RP can't do a authentication at the MySpace OP it is
> The exception to that would be MS health Vault or other sites that by
> policy don't allow non SSL connections or require PAPE multi factor etc.
> Those are policy decisions by the RP, and are not the OPs responsibility.
> OpenID 2.0 authentications can be performed without associations,
> Associations are a performance optimization not a security feature.
> If I were MySpace I would have made a SSL OP URI available rather than the
> http one.
> That would have broken a larger but different set of RPs that don't support
> The choice from an OP point of view is, use SSL and exclude all non SSL RPs
> or have a non SSL URI and prevent RPs that don't support DH from
> associating, but they can still authenticate in dumb/stateless mode.
> You can have two endpoints and the RP gets to select the SSL version if it
> supports SSL.
> That seems like a good idea, but the RP's who have a discovery lib that
> can recognize URI priority in the XRDS and fail over properly are not the
> ones who have the problem. This is the technically correct solution but
> probably breaks more RPs than it helps.
> To have SSL be useful it needs to protect the meta-data discovery step. If
> I can replace your XRDS/or HTML tags at the RP, I own you! Securing the
> rest of the transaction with SSL is as useful as locking your windows and
> leaving the front door open.
> So if I am MySpace or any other large provider the cost of making all of my
> user profile pages SSL could run into the millions of dollars. I would
> probably think twice about it myself if I were them.
> The choice MySpace made is reasonable.
> No this is not hopeless. The XRI-TC which now includes representation from
> Google, Yahoo and others is working on a trust model for signing XRD/S
> documents. This will be part of the upcoming XRD 1.0 spec and may find its
> way into an openID >= 2.1 near you at some point in the future.
> Yes MySpace could include Sreg or better yet AX. Given that to my
> knowledge we have one OP that hands out an validated email address in AX
> (that is still beta, and bends the AX spec), so I wouldn't say MySpace is
> holding things up.
> We have a way to ask for an email address as an optional claim in AX, a RP
> needs a white list of OP's it trusts have verified it, or round trip the
> email if the OP is not on the validated e-mail white list, and they care.
> What OPs need to do:
> Vidoop: Nothing works now
> MyOpenID: Get with the program and support the standard claim URI.,
> otherwise it would work now.
> Google: Stop ignoring AX requests that are not marked required. The word
> doesn't revolve around you.
Well, should the world revolve around the users? They keep telling anyone
who would listen that they don't like checkboxes. Checkboxes are also
terrible for accessibility.
> MySpace: Support AX please
> AOL: Support openID 2.0 + AX
> Yahoo: Support AX
> OP's have had the specs and tools to do this for a long time now. It is
> not like we need to invent something new.
> Lets get what we have working well, please.
> John Bradley
> general mailing list
> general at openid.net
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general