<HTML>
<HEAD>
<TITLE>Re: [OpenID] Facebook Connect in 8 minutes, feat Luke Shephard</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>> my main point is that Facebook Connect violates best practices in obvious ways that OpenID and other<BR>
> technologies like SAML do not.<BR>
<BR>
> And the Foundation and we mere OpenID users should make the case that<BR>
> embedding unvetted Javascript is bad practice -- that Facebook Connect<BR>
> is a poor alternative to OpenID not simply because it's proprietary and<BR>
> does not scale, but because its current design is fundamentally flawed.<BR>
<BR>
Facebook has offered a means of logging in to a site doing a full page redirect since August 2006. In the past two years, it has gotten basically zero adoption because it’s a terrible user experience. For sites that are uncomfortable embedding third-party Javascript, that is still out there today.<BR>
<BR>
The risk of embedding known, trusted, third-party Javascript is just not that big for most of the big sites today. Many of the same sites implementing Connect already embed Javascript – whether it be ads from Google, YUI libraries, MooTools, JQuery, Prototype, ... whatever. As long as it’s from a trusted source, it’s generally fine. Far more than the security risks are those from stability, and we’ve worked hard to get our system to be very reliable.<BR>
<BR>
In short, the cost of implementing Connect or OpenID without the help of a Javascript library is greater than the expected cost of a security breach by embedding a third-party Javascript library. Hence, most businesses will choose the library.<BR>
</SPAN></FONT>
</BODY>
</HTML>