[OpenID] Yahoo OpenID UX Study

Drummond Reed drummond.reed at cordance.net
Fri Oct 10 19:17:57 UTC 2008 

Peter, +1 to supporting only https: identifiers.

Question: does your "traditional" OpenID login text input control accept
XRIs (i-names?) Some OpenID folks are not aware than all i-names are
automatically https: identifiers without the user having to know or type
anything different. In other words, I can log in as =drummond at any OpenID
RP that accepts i-names and the RP can automatically use https for
discovery.

It's one of the key security advantages of XRIs -- the other is automatic
pairing with a canonical persistent XRI i-number to prevent OpenID recycling
and support lifetime synonym management.

=Drummond 

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Watkins
> Sent: Friday, October 10, 2008 6:20 AM
> To: Allen Tom
> Cc: openid-general General
> Subject: Re: [OpenID] Yahoo OpenID UX Study
> 
> 
> Thank you, both for sharing this information, and for
> continuing to improve your OpenID offering. We're
> weeks away from launching our first app that will support
> OpenID logins, and Yahoo! is the only specific OpenID
> provider that we intended to highlight & make easy for
> our users -- largely because you're the only "big player"
> that now has https OP URLs (https://me.yahoo.com).
> (Frankly, I'd love to add AOL, but as long as they don't have
> https OP addresses, they're out.) Anyhow, I am very glad
> that you're streamlining the process for Yahoo users --
> this helps both you & RPs like us, too.
> 
> As for UI, our plan is to have the login page offer three options:
>  * use your Example.gov account [our system]
>  * use your Yahoo! account
>  * use another secure (https) OpenID account
> 
> Only if the user clicks on the Example.gov option will
> our "local" login username/password form appear.
> 
> Since we know the Yahoo OP https URL, we intend NOT to display
> any OpenID input control if the user clicks the Yahoo! link.
> I've always suspected what you discovered -- that login forms
> like idselector.com's (which still doesn't understand the more
> secure me.yahoo.com URL???) that show the user an OpenID URL
> and force them to clock Sign in again are confusing. The most
> that IDSelector should do for "educational" purposes is
> disply a message like "Asking the OpenID service at
> https://me.yahoo.com/ to log you in with a Yahoo! account..."
> 
> If the user clicks the generic OpenID link, we'll display a
> "traditional" OpenID login text input control. We'll use client-
> side Javascript to help users fill this out.
> 
> (Yes, we'll allow arbitrary OpenID URLs, with one requirement
> -- the OpenID claimed ID must be an https URL. So folks using
> premium OPs with secure identifiers will be welcomed.)
> 
> -Peter
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list