<br><font size=2 face="sans-serif">The difference between those examples
and the facebook OpenID linkage is quite notable and very important.</font>
<br>
<br><font size=2 face="sans-serif">1. You can link multiple OpenID's to
your facebook account (nice). The other relationships you mentioned are
1:1 B2B and not a user-centric choice, therefore it is more normal to expect
them to do automatic signon. </font>
<br>
<br><font size=2 face="sans-serif">2. If I move to another browser (eg
kiosk) or perform a cookie cleanup on my regular browser and don't have
the openid_p cookie, there is absolutely no way for me to login with my
openid, which means I must remember and use my facebook password. This
is IMO the biggest problem with the current approach from a usability perspective.</font>
<br>
<br><font size=2 face="sans-serif">Luke - I do have my own OP, and have
successfully interop tested it with facebook. What you've done is a great
start, however I believe it's vitally important to offer "Login with
my linked OpenID" from the main facebook.com login page, along with
the ability to prompt for that OpenID - just like is done when linking
an OpenID in the first place. Without that the ability to let my unique
facebook password fade away is impossible.</font>
<br>
<br><font size=2 face="sans-serif">Another comment on the implementation
- It seems that regardless of whether or not I enter an OP-identifier or
a user-unique claimed identifier, the facebook RP always does an OP-identifier
style login with identifier_select to to the discovered openid server.
I am not sure that's a good thing as it leads to other problems such as
not being able to support delegation properly.</font>
<br>
<br><font size=2 face="sans-serif">Cheers,</font>
<br><font size=2 face="sans-serif">Shane.</font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Luke Shepard <lshepard@facebook.com></b>
</font>
<br><font size=1 face="sans-serif">Sent by: general-bounces@openid.net</font>
<p><font size=1 face="sans-serif">21/05/2009 09:37 AM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">André Luís <andreluis.pt@gmail.com>,
"general@openid.net" <general@openid.net></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">Re: [OpenID] Facebook support for OpenID.
Where?</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 face="Calibri">Right, I understand your concerns. The
current behavior is equivalent to how most single signon works that I’ve
seen – not just with OpenID. For other examples, look at how Google/Blogger,
Google/Plaxo, and Facebook/Citysearch behave.<br>
<br>
That said, I agree that it can be surprising for some users, and we can
do more to improve messaging, as well as provide a good experience if you
are NOT currently logged into your provider. Any changes like that require
design work and user testing, and thus take time. Right now, my priority
is to solve the bugs in the current flow, and iterate on features in order
of business priority. I will definitely take your feedback into account
when prioritizing the work. <br>
<br>
In the meantime, if you’re uncomfortable with the behavior, it’s fully
opt-in feature.<br>
<br>
On 5/20/09 4:19 PM, "André Luís" <</font><a href=andreluis.pt@gmail.com><font size=2 color=blue face="Calibri"><u>andreluis.pt@gmail.com</u></font></a><font size=2 face="Calibri">>
wrote:<br>
</font>
<br><font size=2 face="Calibri">Hello Luke,<br>
<br>
comments inline.<br>
<br>
On Wed, May 20, 2009 at 4:46 PM, Luke Shepard <</font><a href=lshepard@facebook.com><font size=2 color=blue face="Calibri"><u>lshepard@facebook.com</u></font></a><font size=2 face="Calibri">>
wrote:<br>
> Thanks for the constructive feedback, Andre.<br>
><br>
> This is the first iteration of our OpenID relying party. I agree that
some of the interface has rough edges, but imho it works. We are working
on testing different approaches to help set expectations and make an even
smoother flow.<br>
><br>
> I would consider most of the implementation to be "work in progress".
At Facebook, we work very iteratively- push something out, see how it's
used, tweak, push, etc. Changes to the main home page are especially important
to test extensively.<br>
><br>
<br>
Good to know. I hope our comments can help.<br>
<br>
> Some earlier posters asked about why we only use GMail for registration
so far. We chose to start with GMail bc Google has made available both
contacts and a verified email, both of which help improve conversion. We
will work on testing other providers, and if we see a positive impact on
growth, then we will launch them as well. It's very much a data-driven
business decision.<br>
<br>
Alright, that was not my concern when I shared my comments but I get<br>
it. I just hope you guys don't restrict this to 3 or 4 major global<br>
players. There are "local" country-level providers that do things
by<br>
the book and are spreading the word. It would be too bad if users were<br>
forced to neglect their openid providers at signup on facebook because<br>
you only accept google and yahoo. ;) Just saying...<br>
<br>
> Ultimately I would love to get OpenID to the point where it makes
business sense to accept signups from all providers on the front page,
but frankly, for our business, we're not quite there yet.<br>
><br>
<br>
Sure.<br>
<br>
> We're keeping track of open issues in the forums and on the developer
wiki. I'm open to any constructive feedback and ideas.<br>
><br>
<br>
Awesome, I'll have a look.<br>
<br>
But from your reply, I don't think I explained myself very clearly.<br>
What I was complaining about was not the signup part. It's when the<br>
user has already linked his/her openids in the account settings screen<br>
and later comes to the homepage of Facebook. After a couple of<br>
seconds, the page just changes and *bam*, I'm logged in. No warnings,<br>
no countdowns to allow cancellation... nothing.<br>
<br>
One of the golden rules of usability states very clearly that any<br>
action should always be initiated by the user. You can show prompts,<br>
but something as *big* as logging in, shouldn't come to the user as a<br>
surprise. :) Imagine I come to facebook, start typing my email and<br>
when I look up... I'm logged in. "what?!"<br>
<br>
<br>
IMHO, I believe you should, at most, prompt the user.. "We detected<br>
you have logged into ____(provider)____. [Come on in, ___(name)___]"<br>
with a checkbox " [ ] Next time, log me in automatically". And
even<br>
then, you should warn the user which account you logged him in with,<br>
with a reverse checkbox "[ ] Next time, ask me first."<br>
<br>
Or maybe show a countdown saying "You'll be logged into your account<br>
___(name)____ in 9 seconds. [Login right away] [Cancel]"<br>
<br>
I just don't like the *empty* feeling of being dragged into facebook<br>
without so much as a word explaining what happened. I had to rely on<br>
Firebug to figure it out. ;)<br>
<br>
Anyways, I'm rambling. Sorry for the long email, but I got carried away.
:)<br>
<br>
--<br>
André Luís<br>
<br>
<br>
><br>
> ----- Original Message -----<br>
> From: </font><a href="general-bounces@openid.net"><font size=2 color=blue face="Calibri"><u>general-bounces@openid.net</u></font></a><font size=2 face="Calibri">
<</font><a href="general-bounces@openid.net"><font size=2 color=blue face="Calibri"><u>general-bounces@openid.net</u></font></a><font size=2 face="Calibri">><br>
> To: </font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri">
<</font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri">><br>
> Sent: Wed May 20 08:29:58 2009<br>
> Subject: Re: [OpenID] Facebook support for OpenID. Where?<br>
><br>
> Just want to throw these 2 cents into the discussion..<br>
><br>
> The fact that, if I'm logged into my provider, I'm simply swept off
my<br>
> feet and dragged into my facebook account feels very unnatural. In
an<br>
> exclusively usability perspective, the action should *always* start
by<br>
> user initiative. At least there should be a prompt suggesting "We've<br>
> detected you're logged into ___insert__provider___. <button>Come
on<br>
> in</button>".<br>
><br>
> Have they addressed this? Is this behavior only temporary?<br>
><br>
> Thanks,<br>
> --<br>
> André Luís<br>
><br>
> On Wed, May 20, 2009 at 4:10 PM, Peter Williams <</font><a href=pwilliams@rapattoni.com><font size=2 color=blue face="Calibri"><u>pwilliams@rapattoni.com</u></font></a><font size=2 face="Calibri">>
wrote:<br>
>> "Most notably, you can now register for a Facebook account
with your Gmail account, or can link an existing Facebook account with
Gmail or other OpenID-participating services if they support automatic
log-in."[</font><a href="http://www.silicon.com/retailandleisure/0,3800011842,39432536,00.htm"><font size=2 color=blue face="Calibri"><u>http://www.silicon.com/retailandleisure/0,3800011842,39432536,00.htm</u></font></a><font size=2 face="Calibri">]<br>
>><br>
>><br>
>> Im hearing that the RP performed a profiling act (the selection
of those features of the protocol that suits the RP). That is ... the protocol
can only now be used according to the trust/business/value/legal principles
that drive the adopting party.<br>
>><br>
>><br>
>><br>
>> We might ask, politically: is the implementation consistent with
UCI - where users are in control?<br>
>><br>
>><br>
>><br>
>> now since SSO tends to be all about the politics of cooperation,
one might analyze what is it in the interworking environment that induced
Facebook to make the choice they did, in profiling the standard?<br>
>><br>
>> We COULD assume malice or greed, but that's really last year's
(US) political scene. We might speculate that its something about what
Facebook considers itself to be doing in the world that has driven the
choice.<br>
>><br>
>><br>
>><br>
>> Only if they preserve X, when putting profiling limits on openid
choices, can they adopt the protocol. Now what is X?<br>
>><br>
>><br>
>><br>
>> My guess is the X is openid was adoptable only when its deployed
with "rp-centric" trust models.<br>
>><br>
>><br>
>><br>
>> It seemed critical to Facebook that user was not being spoofed/phished
(for presevation of the FaceBook brand). It seemed critical that a FaceBook
introduction to a (user's choice of) OP also not be facilitating spoofing/phishing
on those OPs (for the protection of FaceBook's indirect reputation = brand).
Hence, impose rp-centric trust models in which any reliance on an OP is
contingent on the user having PREVIOUSLY logged into the OP (and therefore
having already taken decision prior to a Facebook introduction on whether
one has or has not been phished etc).<br>
>><br>
>><br>
>><br>
>> I find this quite UCI, is a perverse sort of way. It would be
also a legally-driven, reputation-driven profiling choice - in the absence
of a trust model. It could even be seen as quite clever. Rather than extending
openid with extensions (e.g the PKI-style extensions of some proposal),
they went the other direction, and imposed profiling limits.<br>
>><br>
>><br>
>> ________________________________________<br>
>> From: </font><a href="general-bounces@openid.net"><font size=2 color=blue face="Calibri"><u>general-bounces@openid.net</u></font></a><font size=2 face="Calibri">
[</font><a href="general-bounces@openid.net"><font size=2 color=blue face="Calibri"><u>general-bounces@openid.net</u></font></a><font size=2 face="Calibri">]
On Behalf Of SitG Admin [</font><a href=sysadmin@shadowsinthegarden.com><font size=2 color=blue face="Calibri"><u>sysadmin@shadowsinthegarden.com</u></font></a><font size=2 face="Calibri">]<br>
>> Sent: Wednesday, May 20, 2009 12:21 AM<br>
>> To: Santosh Rajan<br>
>> Cc: </font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri"><br>
>> Subject: Re: [OpenID] Facebook support for OpenID. Where?<br>
>><br>
>>>You may not agree with my views, or I may not succeed to<br>
>>>convince you, but I thing it is unfair for you to suggest that
I should not<br>
>>>express my views here.<br>
>><br>
>> That wasn't his suggestion. What grows tiresome about your expression<br>
>> of those views is how you try to establish links between your
beliefs<br>
>> and whatever may be happening at the moment, apparently without<br>
>> regard for showing any actual connection. Over time, this creates
the<br>
>> appearance that you are either so frantic to make us listen, you
care<br>
>> less about being relevant or valid than repeating the same points<br>
>> over and over, or so fanatical about your beliefs that you can't<br>
>> understand the different perspectives people here might have -
much<br>
>> less, adapt your approach to fit into what *they* want, instead
of<br>
>> just what *you* want (and think others, if intelligent, *should*<br>
>> want).<br>
>><br>
>> In your original post on this thread you suggested that because
this<br>
>> is "Facebook", we say good things no matter what they
do. If the<br>
>> implementation Facebook had taken to OpenID followed your advice,<br>
>> would you still be criticizing them? Still be placing (some of)
the<br>
>> blame for their (alleged) Fail on not doing so? If they had, would<br>
>> you be praising them, instead as an example of what everyone else<br>
>> *ought* to do?<br>
>><br>
>>>Also sites that use user names as logins can easily integrate
OpenID.<br>
>><br>
>> Usernames usually have a character limit (say, 16 or so), but
most<br>
>> OpenID's are (much) longer than that; already, this makes OpenID<br>
>> integration *very* difficult. How much room will you allocate
for<br>
>> primary fields in your backend database? If that room has already<br>
>> been allocated, and the structure decided on, how drastically
will<br>
>> the entire datacenter have to be overhauled?<br>
>><br>
>> I spent a while worrying over maximum length of URI's (theoretical<br>
>> maximum limit of URL's, and this is limited by a combination of<br>
>> server at OP, server at RP, and user's browser; probably 4,000+<br>
>> characters!), but eventually decided to store primary keys of
a<br>
>> hash's length at most; now, hashes *can* collide, but if you get
more<br>
>> than one result you just retrieve them all and do more exact<br>
>> comparisons on the fuller string!<br>
>><br>
>>>The problem is for sites that "use" email addresses
as Identities, or<br>
>>>require verified email addresses. Here implementing OpenID
in the current<br>
>>>form is not practical without including email addresses as
identifiers.<br>
>><br>
>> Poorly-hidden secret of database efficiency: you get *lots faster*<br>
>> lookups if you organize by numeric primary keys. Sure, the topology<br>
>> on paper will have username or some other field shown as the main<br>
>> index, but your *actual* topology doesn't have to match that<br>
>> perfectly.<br>
>><br>
>>>And to make OpenID truly "universal", we need to
somehow include email<br>
>>>addresses into the scheme of things.<br>
>><br>
>> To make OpenID *truly* universal, it would have to be compatible
with<br>
>> irc:// and all the rest. That might be a good place to focus your<br>
>> efforts (and, of course, I have to mention XRI).<br>
>><br>
>> -Shade has been advocating for privacy in OpenID for over a year,
but<br>
>> was never told to get off the privacy soapbox<br>
>> _______________________________________________<br>
>> general mailing list<br>
>> </font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri"><br>
>> </font><a href=http://openid.net/mailman/listinfo/general><font size=2 color=blue face="Calibri"><u>http://openid.net/mailman/listinfo/general</u></font></a><font size=2 face="Calibri"><br>
>> _______________________________________________<br>
>> general mailing list<br>
>> </font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri"><br>
>> </font><a href=http://openid.net/mailman/listinfo/general><font size=2 color=blue face="Calibri"><u>http://openid.net/mailman/listinfo/general</u></font></a><font size=2 face="Calibri"><br>
>><br>
> _______________________________________________<br>
> general mailing list<br>
> </font><a href=general@openid.net><font size=2 color=blue face="Calibri"><u>general@openid.net</u></font></a><font size=2 face="Calibri"><br>
> </font><a href=http://openid.net/mailman/listinfo/general><font size=2 color=blue face="Calibri"><u>http://openid.net/mailman/listinfo/general</u></font></a><font size=2 face="Calibri"><br>
><br>
</font><tt><font size=2>_______________________________________________<br>
general mailing list<br>
general@openid.net<br>
http://openid.net/mailman/listinfo/general<br>
</font></tt>
<br>