[OpenID] Musing on FaceBook, OpenID and the next mountain to climb

Dick Hardt dick.hardt at gmail.com
Wed Sep 17 19:30:39 UTC 2008 

Hey Eran, good to see you jump into the conversation ...

On 16-Sep-08, at 11:41 PM, Eran Hammer-Lahav wrote:

> Dick Hardt wrote:
>> Last time I looked, OAuth and OpenID were different as well. So much
>> for reuse of work in the Open Web. Standardizing this and having it  
>> in
>> libraries would help developers.
>
> When OAuth came up with its security model and assertion  
> verification process (using tokens) it examined the OpenID solution  
> and concluded that it was too complex for most developers to  
> implement, as well as concerns about its use of DH crypto. The  
> reality is, many people are even having problems with OAuth's  
> signature workflow (which I'll take some blame for as the spec can  
> use improvements and clarifications).
>
> David and I had many conversations regarding the possibility of  
> merging the underlying methods of both protocols. I even wrote about  
> it back in January to almost no community interest (http://www.hueniverse.com/hueniverse/2008/01/the-war-of-the.html 
> ). The bottom line is, if you add a feature or two to each one, they  
> can completely replace the other.

A common way of normalizing and signing name/value pairs would have  
allowed that code to be reused.

I proposed this to the group as well.

My point: it is a hypocritical to point the finger at Facebook saying  
they were not reusing open web standards, when the various open web  
standards don't even reuse or standardize on common procedures.


>
>
>> The functionality they wanted to expose is currently not
>> in the OpenID specifications -- and I think the user experience is
>> superior with Facebook Connect than OpenID.
>
> Like what?

If the use has a Facebook account, 99.9% chance they know it. If they  
have an OpenID account 99.9% chance they don't.

With Facebook Connect, the user clicks on button to use it. There is a  
wide, inconsistent variation on what the user needs to do to use OpenID.

With Facebook Connect, I get all my friends, all my privacy settings  
along. There is not best practices for doing this with OpenID.

With Facebook Connect, the RP can look at my profile, and if they  
think I am a "good" netizen, let me participate without moderation.  
OpenID has no best practices for doing this.
>
>> I don't think that the Facebook team wanted to reinvent anything --  
>> so
>> if the tech was already available to do what they wanted, they would
>> have used them.
>
> (No one expects me to be polite about this one)
>
> HORSESHIT!

Ok, but what do you REALLY think? ;-)

>
>
> First, they never made the effort to truly engage the community and  
> understand either specifications. Second, for the most part, they  
> reused existing Facebook pieces to create Facebook Connect. Those  
> pieces could have been converted or added support for OpenID and  
> OAuth a long time ago. And third, this is exactly what they wanted  
> to do - these are some of the brightest minds in the industry and  
> they know what they are doing.


I can see and agree with your point around OAuth, but this is an  
OpenID list. I am clearly a big promoter of OpenID, but I don't have a  
good argument on why they should have used OpenID for what they are  
doing with Facebook Connect.

Could they become an OP like Yahoo! is? Sure. But SSO is not the major  
value proposition of Facebook Connect -- it is getting all the other  
aspects and user experience I mention above.

I anticipate that if Digg supports both OpenID and Facebook Connect --  
I will use Facebook Connect to login as I will get a richer, simpler  
experience and I am running Sxipper, so I can just click a button to  
use my OpenID.

-- Dick

More information about the general mailing list