[OpenID] "Nightmare" article on OpenID

Fri Nov 19 08:22:54 UTC 2010

Another very important point he raised is about the uptime. He was very happy 
with RPX until it went down a few times. 

Essentially any time an OP has a downtime, RP is going to be down. Since there 
is no contract between RP and OP there is no SLA. The other issue is that 
different OPs will have very different uptime. So there is almost no way for an 
RP to deal with hundreds of OPs and one or the other may be down at any given 
time. A user may select an OP that is very unreliable and not be able to login 
to RP site.
Banks often have maintenance in the night and they may be down (as that is 
normal for them) every few days.

I don't see any easy solution to this as you are outsourcing your 
authentication. The other issue related to this and that rarely gets much 
attention is about the account recovery. If somehow user is unable to recover 
his account at OP, there has to be a way for any RP to allow them to recover 
their account at RP site. This is a must if a user has paid for a service.

Thanks

Naveen

________________________________
From: Johannes Ernst <jernst+openid.net at netmesh.us>
To: List OpenID <general at openid.net>
Sent: Thu, November 18, 2010 9:19:57 PM
Subject: Re: [OpenID] "Nightmare" article on OpenID

On Nov 18, 2010, at 16:11, Allen Tom wrote:

The author raises many important issues for consumer oriented websites that are 
trying to accept 3rd party logins, and I think we as a community should listen 
and take the author's feedback very seriously.

I strongly agree with Allen.

Even if the author was all wrong (he isn't -- I've run into some of the same 
issues) it clearly indicates that there is a lot of work to be done, at the very 
minimum documenting everything so well that few people can get it wrong. Nothing 
is a faster way into irrelevance than claiming the customer is wrong.

Specially:
>
>
>1) Directed Identity / PPID (Pairwise Pseudonmous identifier) / 
> non-correlatible RP specific identifier - is great in theory, but does not 
>provide enough value to most RPs to justify implementing OpenID.

Some people may remember me arguing "what about customer service" so many years 
back. If I can't tell my identifier to the customer service guy on the phone, 
how is it ever going to work? Amusingly, this article refers exactly to that use 
case

PPID identifiers have no history, no data, and no reputation - why would any RP 
want this? Also, as the author pointed out, changing the PPID based on the 
realm/return_to means that RPs will "lose all their users" if they ever switch 
their domain/realm. There are many valid reasons why RPs would want to have 
multiple realms/domains, or to change them around.
>
>
>2) username at provider identifiers are necessary for users to contact the RP via 
>customer support and other out of band mechanisms. For all practical purposes, 
>the email address is really required.

If the user remembers their e-mail address but not anything else (like URL), 
that's a tautology.

3) We often talk about OpenID's value to end users, but we don't talk enough 
about giving value to RPs. The main hurdle to OpenID adoption is that RPs don't 
see enough value in OpenID, especially relative to other proprietary 
alternatives. 
>
>
>For a really harsh critique of OpenID, I highly recommend reading Yishan Wong's 
>(ex Facebook/Paypal) tirade against OpenID on Quora:
>
>
>http://www.quora.com/What-s-wrong-with-OpenID
>
>
>Allen
>
>
>
>
>
>
>On Wed, Nov 17, 2010 at 4:01 PM, Bill Shupp <hostmaster at shupp.org> wrote:
>
>http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened
>>
>>
>
_______________________________________________
>general mailing list
>general at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101119/3bff6344/attachment-0001.html>