On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <<a href="mailto:james@jamesh.id.au">james@jamesh.id.au</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On 10/04/2008, Vinay Gupta <<a href="mailto:hexayurt@gmail.com">hexayurt@gmail.com</a>> wrote:<br>
> I think that kind of misses the point. The *namespace* that google manages<br>
> is now open for business as an OpenID provider. It's an unanticipated<br>
> side-effect of the APIs.<br>
><br>
> I think it's kind of a big deal, actually, in terms of how OpenID is right<br>
> from an engineering perspective and how it can spread in unexpected ways. If<br>
> only login were so easy.<br>
<br>
</div>This service seems pretty much equivalent to Simon Willison's<br>
<a href="http://idproxy.net" target="_blank">idproxy.net</a> service for Yahoo accounts.<br>
<br>
The big difference between this sort of service and actial OpenID<br>
Provider support from Google/Yahoo is a matter of trust.<br>
<br>
With an OP run by Google, the user needs to trust Google. With this<br>
OP, the user needs to trust whoever is running the OP not to<br>
impersonate them. Given the lack of contact information, I'd be<br>
hesitant to use identities managed by that service and would not<br>
recommend others rely on it.</blockquote><div><br></div></div>James,<br><br><a href="http://openid-provider.appspot.com">openid-provider.appspot.com</a> was written by a Google engineer, Ryan Barrett, who also did most the work (including all the initial work) on Blogger's OpenID support:<br>
<br>References:<br><br><a href="http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM">http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM</a><br>
<a href="http://snarfed.org/space/2008-04-07_google_app_engine_launched">http://snarfed.org/space/2008-04-07_google_app_engine_launched</a><br><a href="http://snarfed.org/space/2007-12-02_openid_comments_in_blogger">http://snarfed.org/space/2007-12-02_openid_comments_in_blogger</a><br>
<br>Further, App Engine apps don't process user credentials directly. They go through an OpenID-like auth process with Google, who actually processes the email/password and tells the App Engine app that somebody logged in, at what email. You can verify this yourself by looking at the form targets and HTTP traffic. See:<br>
<br><a href="http://code.google.com/appengine/docs/users/">http://code.google.com/appengine/docs/users/</a><br><br>So I'd say you can pretty much trust an <a href="http://openid-provider.a.com">openid-provider.a.com</a> assertion that the person has a Google account. But like others have said, it's not an official Google product.<br>
<br>Brad<br><br>