[OpenID] Facebook Connect in 8 minutes, feat Luke Shephard

[Luke Shepard]

> my main point is that Facebook Connect violates best practices in obvious ways that OpenID and other
> technologies like SAML do not.

> And the Foundation and we mere OpenID users should make the case that
> embedding unvetted Javascript is bad practice -- that Facebook Connect
> is a poor alternative to OpenID not simply because it's proprietary and
> does not scale, but because its current design is fundamentally flawed.

Facebook has offered a means of logging in to a site doing a full page redirect since August 2006. In the past two years, it has gotten basically zero adoption because it's a terrible user experience. For sites that are uncomfortable embedding third-party Javascript, that is still out there today.

The risk of embedding known, trusted, third-party Javascript is just not that big for most of the big sites today. Many of the same sites implementing Connect already embed Javascript - whether it be ads from Google, YUI libraries, MooTools, JQuery, Prototype, ... whatever. As long as it's from a trusted source, it's generally fine. Far more than the security risks are those from stability, and we've worked hard to get our system to be very reliable.

In short, the cost of implementing Connect or OpenID without the help of a Javascript library is greater than the expected cost of a security breach by embedding a third-party Javascript library. Hence, most businesses will choose the library.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081212/e3648c7e/attachment-0002.htm>