Again: What's the good in OpenID for me?
chris.messina at gmail.com
Sat Jan 10 03:21:57 UTC 2009
I might also offer a post recently on similar criticisms of OpenID:
In order to understand OpenID, I think you need to look beyond where we are
today, because as a solution for what people do on the web today, it's
somewhat limited and inconsistent.
I'd also point out that we're early in the history of OpenID -- and just as
email at one point was inconsistent and confusing, I think eventually OpenID
will be made to be much more usable and accessible. But we're starting with
the web as it is today and trying very hard to move quickly to get a lot of
players on board to make this easy for folks. As a result, we're dealing
with lots of thorny issues like politics, security, usability and special
interests -- and all of those things take time to smooth out.
It will get better and is getting better, but we still have a long way to
On Fri, Jan 9, 2009 at 10:41 AM, Joseph A Holsten
<joseph at josephholsten.com>wrote:
> To those watching: A friendly reminder, don't feed the trolls.
> Márcio Vinícius Pinheiro wrote:
>> What kind of license Yahoo has to be a provider? what's their obligations?
> All the people who developed OpenID have basically provided patent
> non-asserts, so there is no license or obligations to use. It's open.
> The OpenID foundation has no power or desire to make Yahoo! do their
> bidding. But we would all love to convince them to be a relying party (allow
> people to authenticate on their site with OpenID). Can you think of any
> particularly convincing business value they would gain from being a relying
> party? I know a few yahoo fellows are here.
> I still didn't understand the use of an URL (like my blog address) as an
>> ID. Wasn't it about username/password?
> This is a common issue with OpenID. Some people even want email addresses
> as OpenIDs. The simplest explanation is that OpenID was originally aimed at
> bloggers, who typically are quite fond of their blog url. But these days,
> most OpenID implementations are trying to hide that in their UIs.
> If that interests you, you should investigate the XRI TC at OASIS. They're
> working on the underlying standards that let a site find your OpenID
> provider and talk to them.
> Maintainers of OpenID should carefully read this: http://
> This covers the points:
> - phishing
> - security is no better than DNS
> - recycling
> - correlation & collusion
> - usability
> - too many OPs, not enough RPs
> - impersonation by the OP
> - dependence on OP availability
> - submarine patent claims
> Most regulars on the list are well aware of these issues. If you (or anyone
> else) are not already aquainted of these concerns, and the potential
> solutions to them, please reply and someone will be happy to help you out.
> Some of the most critical claims from that post are by people very involved
> in the OpenID community. For example, Ben Laurie, who mentioned some of the
> security/trust concerns, is working to fix trust with XRD. Some of the
> privacy concerns were brought up by someone who was on the OpenID Board at
> the time, Tom Allen. ; )
> Finally, we understand you've got issues with the way OpenID works today.
> We'd love to know about any new problem you find in OpenID, especially if
> you can propose a solution. But do try to be polite.
> user-experience mailing list
> user-experience at openid.net
Open Web Advocate-at-Large
factoryjoe.com # diso-project.org
citizenagency.com # vidoop.com
This email is: [ ] bloggable [X] ask first [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the user-experience