[OpenID] OpenID in India - What stops you from using OpenID?

Snorri snorri at snorri.eu
Wed Jun 25 08:31:01 UTC 2008 

Interesting comments Eddy,

 

I copy also here the answer of Vijay Anand, the founder of www.pronto.in 

It’s a platform with important Indian start-ups:

 

Who can answer?

 

Thanks

 

-Snorri

 

Rajan represents a firm that works in the secure identity space. When asked how it measures with OpenID, he mentioned a few remarks. I wanted to run it through you to get your feedback. What do you think?

Vijay

For Point 4 Open ID – Open id is a good concept, but very much different to XeQure. We have taken into consideration the shortcomings of Open ID in development of XeQure. Please visit  <http://idcorner.org/2007/08/22/the-problems-with-openid/> http://idcorner.org/2007/08/22/the-problems-with-openid/  to get an idea where Open ID stops being user friendly and secure. Few salient points are as below:

 

1)     Prone to phishing – Open ID workflow and architecture is such that it is easy to phish into as any person can create a website and become an Open ID provider. Causing a great threat to user security and hence confidence in application. If you use one OpenID account to go to two hundred sites, the thief who steals your OpenID credentials gains access to any of the 200 sites.

2)     Privacy issue – With open ID the identity provider can track all your login and usage history. This in itself is a grave concern for internet users. XeQure architecture is different and it does not control the way user moves on a third party website.

3)     No Patent –Open ID is a free framework (without any patent ), which can be implemented by anyone (even hackers and phishers), this makes it very vulnerable for hackers and users tend to have limited trust in such applications. No wonder the user base is still very low for it. 

4)     Usability issues – Open Id is too cumbersome to use. It has three entities the user, Identity provider e.g. Claim ID, and Consumer e.g. LiveJournal.com, pbwiki.com, etc. They all have to synchronize to make this functional. Too many parties involved for user ease. It has many steps on each login and it is not a true single click sign on unlike XeQure. This Open ID framework needs to be implemented for each website which requires time and cost to be incurred to do so.

5)     Multiple user account login – What if user has multiple accounts to say Google. He/she will still have to remember all the URIs to login to different accounts. Open ID falls short of a true SSO(Single sign on) to all user accounts.

6)     6)   Limited operation in major players – Open ID is not being provided as a login method on major websites like Gmail, Orkut, Myspace, etc. Although majors like Google, Microsoft, etc. expressed their   willingness to provide support for Open ID more than 6 months back, but have done nothing to make it functional as of yet. It seems that OpenID will take a very long time to be used as a standard on the  World Wide Web.

 

 

De : general-bounces at openid.net [mailto:general-bounces at openid.net] De la part de Eddy Nigg (StartCom Ltd.)
Envoyé : mercredi 25 juin 2008 07:55
À : Jeetendra Mirchandani
Cc : general at openid.net
Objet : Re: [OpenID] OpenID in India - What stops you from using OpenID?

 

Jeetendra Mirchandani: 

This is a question for all those website owners in India, who have been around for a while, and those who have started new ventures recently. Let me list down possible reasons I can think of, as if I were to own a website targeted towards Indians


All of the above might be correct (from the point of view of the web site owners of course). Here my $0.02....




1.	Indian users dont know what OpenID is


Very likely! Isn't this the reason for your foundation and mission thereof?




1.	Your traffic is reluctant to use a URL as a username, they are just more comfortable with the old traditional way of having a user name and password
2.	You, the website owner, wants to build a user base. And users signing in via an OpenID aren't really users that you own (Or atleast thats what you think?)


>From the user perspective that's certainly not really valid. For OpenID users, when offered OpenID login on a site they are more willing to register then without. It's only the authentication which is "outsourced" not the user base itself. That's a point which needs education perhaps.




1.	You don't trust that OpenID provider is secure enough. You are responsible for any user data, and don't want the third-party provider to be involved in how secure your user data is


Allow only providers you trust. It's easy as that.




1.	OpenID implementation is very complicated


This is a valid point and most popular blogs, forums require some extra work to have OpenID login. Certainly for implementing your own login facility. Until the big web applications don't ship OpenID built-in (like WordPress, Phpbb forum, wikimedia) this is a hurdle.




With the same argument, point 4 is also not totally valid! A user understands who to trust, and build up that trust over time. With big players like  <http://openid.yahoo.com/> Yahoo providing OpenID, I think this barrier is gone.


I don't view Yahoo as a secure provider, sorry.




And if you say OpenID implementation is complicated, you need to look around. The  <http://openid.net/developers/> developers section on openid.net could be a good starting point.


That's a lame argument. For many implementation is impossible or very burdensome. See above...the most popular web applications need to ship OpenID built-in!




Regards 


 


Signer: 

Eddy Nigg, StartCom Ltd. <http://www.startcom.org> 


Jabber: 

startcom at startcom.org


Blog: 

Join the Revolution! <http://blog.startcom.org> 


Phone: 

+1.213.341.0390


 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080625/bb3e25ef/attachment-0001.htm>

More information about the general mailing list