Thanks Joseph.<div><br></div><div>I might also offer a post recently on similar criticisms of OpenID:</div><div><br></div><div><a href="http://tr.im/fj_openid_criticisms">http://tr.im/fj_openid_criticisms</a></div><div><br>
</div><div>In order to understand OpenID, I think you need to look beyond where we are today, because as a solution for what people do on the web today, it's somewhat limited and inconsistent.</div><div><br></div><div>
I'd also point out that we're early in the history of OpenID -- and just as email at one point was inconsistent and confusing, I think eventually OpenID will be made to be much more usable and accessible. But we're starting with the web as it is today and trying very hard to move quickly to get a lot of players on board to make this easy for folks. As a result, we're dealing with lots of thorny issues like politics, security, usability and special interests -- and all of those things take time to smooth out.</div>
<div><br></div><div>It will get better and is getting better, but we still have a long way to go.</div><div><br></div><div>Chris<br><br><div class="gmail_quote">On Fri, Jan 9, 2009 at 10:41 AM, Joseph A Holsten <span dir="ltr"><<a href="mailto:joseph@josephholsten.com">joseph@josephholsten.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">To those watching: A friendly reminder, don't feed the trolls.<div class="Ih2E3d"><br>
<br>
Márcio Vinícius Pinheiro wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
What kind of license Yahoo has to be a provider? what's their obligations?<br>
</blockquote></div>
All the people who developed OpenID have basically provided patent non-asserts, so there is no license or obligations to use. It's open.<br>
<br>
The OpenID foundation has no power or desire to make Yahoo! do their bidding. But we would all love to convince them to be a relying party (allow people to authenticate on their site with OpenID). Can you think of any particularly convincing business value they would gain from being a relying party? I know a few yahoo fellows are here.<div class="Ih2E3d">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I still didn't understand the use of an URL (like my blog address) as an ID. Wasn't it about username/password?<br>
</blockquote></div>
This is a common issue with OpenID. Some people even want email addresses as OpenIDs. The simplest explanation is that OpenID was originally aimed at bloggers, who typically are quite fond of their blog url. But these days, most OpenID implementations are trying to hide that in their UIs.<br>
<br>
If that interests you, you should investigate the XRI TC at OASIS. They're working on the underlying standards that let a site find your OpenID provider and talk to them.<div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Maintainers of OpenID should carefully read this: http://<a href="http://idcorner.org/2007/08/22/the-problems-with-openid/" target="_blank">idcorner.org/2007/08/22/the-problems-with-openid/</a><br>
</blockquote></div>
This covers the points:<br>
- phishing<br>
- security is no better than DNS<br>
- recycling<br>
- correlation & collusion<br>
- usability<br>
- too many OPs, not enough RPs<br>
- impersonation by the OP<br>
- dependence on OP availability<br>
- submarine patent claims<br>
<br>
Most regulars on the list are well aware of these issues. If you (or anyone else) are not already aquainted of these concerns, and the potential solutions to them, please reply and someone will be happy to help you out. Some of the most critical claims from that post are by people very involved in the OpenID community. For example, Ben Laurie, who mentioned some of the security/trust concerns, is working to fix trust with XRD. Some of the privacy concerns were brought up by someone who was on the OpenID Board at the time, Tom Allen. ; )<br>
<br>
Finally, we understand you've got issues with the way OpenID works today. We'd love to know about any new problem you find in OpenID, especially if you can propose a solution. But do try to be polite.<br>
<br>
<a href="http://josephholsten.com" target="_blank">http://josephholsten.com</a><br>_______________________________________________<br>
user-experience mailing list<br>
<a href="mailto:user-experience@openid.net">user-experience@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/user-experience" target="_blank">http://openid.net/mailman/listinfo/user-experience</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Chris Messina<br>Citizen-Participant &<br> Open Web Advocate-at-Large<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> # <a href="http://diso-project.org">diso-project.org</a><br>
<a href="http://citizenagency.com">citizenagency.com</a> # <a href="http://vidoop.com">vidoop.com</a><br>This email is: [ ] bloggable [X] ask first [ ] private<br>
</div>