[OpenID] OpenID in India - What stops you from using OpenID?

Martin Paljak martin at paljak.pri.ee
Thu Jun 26 14:57:22 UTC 2008 

2008/6/26 SitG Admin <sysadmin at shadowsinthegarden.com>:
>>If you use one OpenID account to go to two hundred sites, the thief
>>who steals your OpenID credentials gains access to any of the 200
>>sites.
>
> It's worse than this, actually. Unless the OP specifically *prevents*
> it, you can go to *any* OpenID-supporting site, even one other than
> one of the 200 you were previously accessing! And if they've gained
> access to your credentials with the OP, they may have also gained
> access to whatever authorization mechanism you were using to say
> "Yes, it's okay to add another site to the list."

There are pros and cons, of course. Choosing an OP is like choosing
your bank - it's about trust. And risks. You have several credit cards
with different limits to protect you from 'bad RP'-s (rogue
restaurants stealing your credit cards in mysterious places).

It is much easier to trust ONE place (OP)  with your private data and
authentication credentials than 200 websites you visit not to leak its
badly protected database which would leak your usernames and weak,
repeating passwords, which many people use all over the internet..



>>3)     No Patent -Open ID is a free framework (without any patent ),
>>which can be implemented by anyone (even hackers and phishers), this
>>makes it very vulnerable for hackers and users tend to have limited
>>trust in such applications. No wonder the user base is still very
>>low for it.

It's only a matter of time before any closed or 'patented' technology
is broken by some curious good or malicious bad guy. I don't
understand how a patented or not-free technology could catch up faster
than a open and free one? Make a test. Have a party with free beer and
10€/pint beer and see which has a bigger user base.


>>5)     Multiple user account login - What if user has multiple
>>accounts to say Google. He/she will still have to remember all the
>>URIs to login to different accounts. Open ID falls short of a true
>>SSO(Single sign on) to all user accounts.
>
> That's a problem with Google, not with OpenID -

In case Google here is the OP with what the user has multiple accounts
(URIs) with, this scenario is mitigated with OpenID 2.0 and directed
identity feature.

-- 
Martin Paljak
martin at paljak.pri.ee
http://martin.paljak.pri.ee
GSM:+3725156495

More information about the general mailing list