Again: What's the good in OpenID for me?

Joseph A Holsten joseph at josephholsten.com
Fri Jan 9 18:41:35 UTC 2009


To those watching: A friendly reminder, don't feed the trolls.

Márcio Vinícius Pinheiro wrote:
> What kind of license Yahoo has to be a provider? what's their  
> obligations?
All the people who developed OpenID have basically provided patent  
non-asserts, so there is no license or obligations to use. It's open.

The OpenID foundation has no power or desire to make Yahoo! do their  
bidding. But we would all love to convince them to be a relying party  
(allow people to authenticate on their site with OpenID). Can you  
think of any particularly convincing business value they would gain  
from being a relying party? I know a few yahoo fellows are here.

> I still didn't understand the use of an URL (like my blog address)  
> as an ID. Wasn't it about username/password?
This is a common issue with OpenID. Some people even want email  
addresses as OpenIDs. The simplest explanation is that OpenID was  
originally aimed at bloggers, who typically are quite fond of their  
blog url. But these days, most OpenID implementations are trying to  
hide that in their UIs.

If that interests you, you should investigate the XRI TC at OASIS.  
They're working on the underlying standards that let a site find your  
OpenID provider and talk to them.

> Maintainers of OpenID should carefully read this: http:// 
> idcorner.org/2007/08/22/the-problems-with-openid/
This covers the points:
- phishing
- security is no better than DNS
- recycling
- correlation & collusion
- usability
- too many OPs, not enough RPs
- impersonation by the OP
- dependence on OP availability
- submarine patent claims

Most regulars on the list are well aware of these issues. If you (or  
anyone else) are not already aquainted of these concerns, and the  
potential solutions to them, please reply and someone will be happy  
to help you out. Some of the most critical claims from that post are  
by people very involved in the OpenID community. For example, Ben  
Laurie, who mentioned some of the security/trust concerns, is working  
to fix trust with XRD. Some of the privacy concerns were brought up  
by someone who was on the OpenID Board at the time, Tom Allen. ; )

Finally, we understand you've got issues with the way OpenID works  
today. We'd love to know about any new problem you find in OpenID,  
especially if you can propose a solution. But do try to be polite.

http://josephholsten.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2431 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090109/d61f9e5c/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openid.net/pipermail/openid-user-experience/attachments/20090109/d61f9e5c/attachment-0002.pgp>


More information about the user-experience mailing list