[OpenID] Feedback from OpenID demo

[Bill Shupp]

I did a quick internal OpenID demo here at Digg yesterday, and thought  
I'd share the feedback here.

There were about 20 people there, of which maybe 3 had used OpenID.   
Some people were not technical, though most were.  Featured in the  
demo were Plaxo and Facebook for RPs, and Google and MyOpenID as OPs.   
The feedback was not terribly positive, and the criticisms focused on  
two areas:

1) Lack of Single Sign Out in the protocol
2) "Automatic Login", as implemented currently at Facebook

Obviously, #2 really highlighted #1.  People thought that login should  
be an explicit action, not automatic.  When discussing #1, I mentioned  
an idea that Luke Shepard shared this week at IIW, of adding  
"logout_setup" and "logout_immediate" to the protocol.  The idea being  
that if you click logout on the RP, it could send a "logout_setup" to  
the OP, which would trigger a popup asking if you also want to logout  
of the OP as well.  This idea got a pretty favorable response, and  
seemed to satisfy some of those concerned with the Single Sign Out  
issue.  "logout_immediate" could behave similar to  
"checkid_immediate", where the logout is performed without user  
interaction, and might be favored by higher value RPs like mint.com or  
the like.  Obviously, there's room for RP abuse here, though.

Cheers,

Bill Shupp