[OpenID] Feedback from OpenID demo
Peter Williams
pwilliams at rapattoni.com
Fri May 22 21:30:15 UTC 2009
lets note that the evidence and conclusions being drawn at are odds with other communities - communities with a lot of user experience.
The Shib2 academic community (and who would want to argue with them, since they have far more USG/UKG money to spend on websso than all of us folks together are spending on openid) assert that SLO is the last thing anyone wants/needs. And they have been doing websso now for literally years, for national-scale university logons. They have hundreds of thousands of active users, and hundreds of active RPs. Though,at the same time, there are very few published research papers - the usual standard for credible research.
Just pointing out two groups making opposite conclusions.
Personally, I like SLO (done right). If its being done to further strip control from users (and make their sessions be controlled by TTP IDPs or TTP RPs), then it gets my ire. Such TTPs will just become a policy enforcement point, and therefore undermine UCI autonomy. While thats fine in a B2B world, its not ok for the web.
________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Luke Shepard [lshepard at facebook.com]
Sent: Friday, May 22, 2009 12:16 PM
To: Bill Shupp; OpenID List
Subject: Re: [OpenID] Feedback from OpenID demo
That’s really good feedback, thanks for sending Bill.
I just published a blog post exploring these issues. Bill already summarized the ideas, but for a flushed out description, check it out:
http://www.sociallipstick.com/2009/05/logout-the-other-half-of-the-identity-equation/
On 5/22/09 9:47 AM, "Bill Shupp" <hostmaster at shupp.org<UrlBlockedError.aspx>> wrote:
I did a quick internal OpenID demo here at Digg yesterday, and thought
I'd share the feedback here.
There were about 20 people there, of which maybe 3 had used OpenID.
Some people were not technical, though most were. Featured in the
demo were Plaxo and Facebook for RPs, and Google and MyOpenID as OPs.
The feedback was not terribly positive, and the criticisms focused on
two areas:
1) Lack of Single Sign Out in the protocol
2) "Automatic Login", as implemented currently at Facebook
Obviously, #2 really highlighted #1. People thought that login should
be an explicit action, not automatic. When discussing #1, I mentioned
an idea that Luke Shepard shared this week at IIW, of adding
"logout_setup" and "logout_immediate" to the protocol. The idea being
that if you click logout on the RP, it could send a "logout_setup" to
the OP, which would trigger a popup asking if you also want to logout
of the OP as well. This idea got a pretty favorable response, and
seemed to satisfy some of those concerned with the Single Sign Out
issue. "logout_immediate" could behave similar to
"checkid_immediate", where the logout is performed without user
interaction, and might be favored by higher value RPs like mint.com or
the like. Obviously, there's room for RP abuse here, though.
Cheers,
Bill Shupp
_______________________________________________
general mailing list
general at openid.net<UrlBlockedError.aspx>
http://openid.net/mailman/listinfo/general
More information about the general
mailing list