LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The end of OpenID?

The end of OpenID?

Posted Feb 3, 2011 8:10 UTC (Thu) by ekj (guest, #1524)
Parent article: The end of OpenID?

I dunno. Seems odd to complain about the pseudonymous nature of an openid-url when the alternative, asfar as most sites are concerned, is an email-address.

In what way is bar@example.com less of a pseudonym than http://example.com/bar ? Doesn't quite make sense to me.

The email-address though, does typically make it possible to contact me, something knowing my openid-url does NOT. And this is a negative, from the POV of many website-operators, because they would just *love* to send you "important updates" aka marketing-material.

(Log in to post comments)

The end of OpenID?

Posted Feb 3, 2011 8:42 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> The email-address though, does typically make it possible to contact me, something knowing my openid-url does NOT.

This makes me imagine some middle ground. An OpenID-like system that used an e-mail address - but one of it's own - as a login. Websites that you log into would be able to send things to the e-mail address and the provider would forward them to your real address, but would only accept things signed by known, and known-well-behaved parties. Said parties might also pay a small fee (a couple of cents per e-mail?) to the provider to cover the provider's costs.

The end of OpenID?

Posted Feb 3, 2011 8:52 UTC (Thu) by ekj (guest, #1524) [Link]

Yeah, cos THAT is gonna sell !

Instead of: With OpenID you're unable to communicate directly with your users, you get: With OpenID some external organization gets veto-power over what communications you are allowed to send to your own users, and by the way, you get to pay them a few cent for performing the valuable service of censoring you.

I realise that's not quite how you meant it, but this suggestion really would go over like a lead balloon.

The end of OpenID?

Posted Feb 4, 2011 11:12 UTC (Fri) by michaeljt (subscriber, #39183) [Link]

> Instead of: With OpenID you're unable to communicate directly with your users, you get: With OpenID some external organization gets veto-power over what communications you are allowed to send to your own users, and by the way, you get to pay them a few cent for performing the valuable service of censoring you.

I do think though that while most users aren't worried about privacy in general, many are more concerned about spam. I would have thought that there would be a certain value to the providers to be able to say "give us your address and you can be sure it won't be misused", particularly if the customer doesn't know the provider very well.

The end of OpenID?

Posted Feb 4, 2011 11:16 UTC (Fri) by ekj (guest, #1524) [Link]

I sorta doubt it. Most users aren't worried about giving their email-address to some random site they want to register at, and single-source spam is in practice close to a non-problem anyway, because worst-case, you just filter it.

For those users who do care, there's already free solutions, even *hotmail* which isn't exactly the epitome of technically sophisticated users, today allow creating throw-away aliases for your email-account, for purpose of being able to give a valid email-adress, that can be dropped if it ever starts receiving much spam.

The end of OpenID?

Posted Feb 5, 2011 0:09 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

A complete centralized identity manager would have in the same database with your password your email address and all other personal information typical websites might want about you. With your permission, the web site could get that whenever it wants it, thus saving you the trouble of filling in forms to register with each web site, and then updating them all when the information changes.

A mail forwarding service might be useful, but I don't think it adds much to the server just giving the sender the email address.

I would love it if I could use a web site for the first time (and every time) by just saying who I am (with some short string such as an OpenID URL).

And if that doesn't tell the web site enough about me, it can tell me to come back when I've added the required information to my identity manager and released it.

The end of OpenID?

Posted Feb 3, 2011 9:18 UTC (Thu) by epa (subscriber, #39769) [Link]

More to the point, everybody remembers their email address. Nobody remembers some weird URL you have to type (not unless every site started using OpenID all at once), and few people reliably remember their user id for a particular website. This is why all websites should support logging in with email address and password rather than some made-up 'username' and password. (You can still have usernames if you really want.)

The end of OpenID?

Posted Feb 3, 2011 9:19 UTC (Thu) by spaetz (subscriber, #32870) [Link]

> In what way is bar@example.com less of a pseudonym than http://example.com/bar?

Because I know my email address very well while I always have to look up my openid url (https://me.yahoo.com/spaetz) :-)?

Fortunately and that is too little known, it is very easy to insert a redirect header in any webpage you control and use that URL as openid url. Which makes it very conventient to use as I know the URL of my private homepage by heart...

Logins via openid can ask the openid provider for a email address and get it prefilled *if the user consents*.

The end of OpenID?

Posted Feb 3, 2011 22:09 UTC (Thu) by bangert (subscriber, #28342) [Link]

having driven websites with thousands of signups a day, i can tell you that people do NOT generally know their email -- or the spelling thereof...

...even if you ask the user to input the email twice!

The end of OpenID?

Posted Feb 5, 2011 21:11 UTC (Sat) by madhatter (subscriber, #4665) [Link]

Spaetz makes a very good point there. Being a fan of OpenID myself, and having read both the 37signals and the webmonkey articles, I was struck by the extent to which people seem to be misusing OpenID.

If you're trying to remember an OpenID URL of the format http://OddSubdomain.OpenIDProvider.tld/WeirdAccountName, you're doing it wrong. The right way to use it is to have your OpenID as http://my.vanity.domain/ , perhaps appending /openid or some simple string, and from that domain, which you control, nominating your OpenID provider _du jour_, which can - and probably should - change regularly.

This gets rid of the "I forgot my account details with my provider so I got locked out" problem, which seem to be many of the problems in both the articles mentioned above. I have in fact locked myself out of my provider twice, and each time, I found a new provider and switched in minutes, because the OpenID URL I had registered was on a domain under *my* control, not some third party's.

I'm a big fan of OpenID and I'm sorry it won't catch on with most sites, and I'm fairly sure the reason why it won't is, as has been said here already, the benefits are all to me, not to the site owner. I look forward to being able to use it on LWN soon.

The end of OpenID?

Posted Feb 7, 2011 13:24 UTC (Mon) by spaetz (subscriber, #32870) [Link]

yep, that's how I do it too. There is not even a need to append /openid to the url.

These 2 lines in index.html is all I need to be able to use http://sspaeth.de as my openid url.

<link rel="openid2.provider openid.server" href="http://www.myopenid.com/server"/>
<link rel="openid2.local_id openid.delegate" href="http://obscureopenidprovider.com/obscureopenidaccountname"/>

The end of OpenID?

Posted Feb 8, 2011 12:40 UTC (Tue) by nix (subscriber, #2304) [Link]

And unless you're an OpenID geek there's no way you'll realise that. I've got an OpenID identity that I can never remember because I can never remember the URL. Would I have thought of the trick you propose? Not in a million years.

The end of OpenID?

Posted Feb 8, 2011 12:47 UTC (Tue) by madhatter (subscriber, #4665) [Link]

I rather agree with you, but I still think it's due to the way that OpenID is being mis-sold (as it were). None of us comes into the world fully versed in the protocol, so we all have to learn about it from somewhere or someone. I was lucky that I caught it early on, and read the protocols, and saw how it was supposed to be used - it's not a trick, it's clearly what's intended by the authors.

But there's no reason why those providing OpenID authentication servers couldn't do a better job of telling people how it's supposed to be used. Except, presumably, that they, too, don't want to help their user community free themselves from linkage to their providers.

I despair, really I do.

The end of OpenID?

Posted Feb 8, 2011 14:53 UTC (Tue) by jamesh (guest, #1159) [Link]

If you are using Yahoo as your provider, you should be able to enter "yahoo.com" as your identifier for most sites.

This will trigger an Identifier Select authentication request, where the actual OpenID identifier is only determined when the response is sent to the relying party. This way, all users of an identity provider can use the same starting URL.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds