[OpenID] About Facebook, MySpace and OpenID

Breno de Medeiros breno at google.com
Fri Apr 3 18:46:44 UTC 2009


On Fri, Apr 3, 2009 at 11:31 AM, Breno de Medeiros <breno at google.com> wrote:

>
>
> On Fri, Apr 3, 2009 at 11:12 AM, John Bradley <john.bradley at wingaa.com>wrote:
>
>> Believe me almost nothing is stranger than me defending MySpace.
>>
>> However I think they have done a reasonable job with there OP.
>>
>> They are compliant with openID 2.0,  true some older RP libs may have a
>> problem if they are not compliant.
>>
>> If a openID 2.0 RP can't do a authentication at the MySpace OP it is
>> broken!
>>
>> The exception to that would be MS health Vault or other sites that by
>> policy don't allow non SSL connections or require PAPE multi factor etc.
>> Those are policy decisions by the RP, and are not the OPs responsibility.
>>
>> OpenID 2.0 authentications can be performed without associations,
>> Associations are a performance optimization not a security feature.
>>
>> If I were MySpace I would have made a SSL OP URI available rather than the
>> http one.
>>
>> That would have broken a larger but different set of RPs that don't
>> support SSL.
>>
>> The choice from an OP point of view is, use SSL and exclude all non SSL
>> RPs or have a non SSL URI and prevent RPs that don't support DH from
>> associating, but they can still authenticate in dumb/stateless mode.
>>
>> You can have two endpoints and the RP gets to select the SSL version if it
>> supports SSL.
>> That seems like a good idea,  but the RP's who have a discovery lib that
>> can recognize URI priority in the XRDS and fail over properly are not the
>> ones who have the problem.    This is the technically correct solution but
>> probably breaks more RPs than it helps.
>>
>> To have SSL be useful it needs to protect the meta-data discovery step.
>>  If I can replace your XRDS/or HTML tags at the RP, I own you!   Securing
>> the rest of the transaction with SSL is as useful as locking your windows
>> and leaving the front door open.
>>
>> So if I am MySpace or any other large provider the cost of making all of
>> my user profile pages SSL could run into the millions of dollars.   I would
>> probably think twice about it myself if I were them.
>>
>> The choice MySpace made is reasonable.
>>
>> No this is not hopeless.  The XRI-TC which now includes representation
>> from Google, Yahoo and others is working on a trust model for signing XRD/S
>> documents.   This will be part of the upcoming XRD 1.0 spec and may find its
>> way into an openID >= 2.1 near you at some point in the future.
>>
>> Yes MySpace could include Sreg or better yet AX.   Given that to my
>> knowledge we have one OP that hands out an validated email address in AX
>> (that is still beta, and bends the AX spec),  so I wouldn't say MySpace is
>> holding things up.
>>
>> We have a way to ask for an email address as an optional claim in AX,  a
>> RP needs a white list of OP's it trusts have verified it, or round trip the
>> email if the OP is not on the validated e-mail white list, and they care.
>>
>> What OPs need to do:
>> Vidoop:  Nothing works now
>> MyOpenID:  Get with the program and support the standard claim URI.,
>> otherwise it would work now.
>> Google:  Stop ignoring AX requests that are not marked required.   The
>> word doesn't revolve around you.
>
>
> Well, should the world revolve around the users? They keep telling anyone
> who would listen that they don't like checkboxes.  Checkboxes are also
> terrible for accessibility.
>
> Suggestions appreciated.
>

I would also note that any OP who implements checkboxes where required
fields are checked by default and non-required fields aren't will return the
same answers that the Google OP provides more than 95% of the time. However,
their users will be 95% unhappier.


>
>
>
>>
>> MySpace: Support AX please
>> AOL:  Support openID 2.0 + AX
>> Yahoo:  Support AX
>>
>> OP's have had the specs and tools to do this for a long time now.  It is
>> not like we need to invent something new.
>>
>> Lets get what we have working well,  please.
>>
>> Regards
>> John Bradley
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/0e615cec/attachment-0002.htm>


More information about the general mailing list