LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OpenID maldesigned

OpenID maldesigned

Posted Feb 21, 2011 14:14 UTC (Mon) by job (guest, #670)
Parent article: The end of OpenID?

A login system based on shuffling values with HTTP, where your identity is a URL? Only a web guy high on XML and javascript would have designed such a thing.

No one wants to unnecessarily rely on third parties. Who do you contact when it doesn't work? What do you have to do to prove it's their fault? Also most users probably don't want to share their identities between sites. I know I don't. Handling multiple identities on the web is a solved problem, and it's solved in the clients with keyrings and the like. Lost passwords are also a solved problem, where everyone emails one-time credentials.

As for the valid use cases of a SSO system for the web, which is owning your identity and storing credentials off-server, there is already solution as old as SSL: client certificates. It is true that browsers could make this easier but this would happend in a jiffy if people actually used it. It is also true that it requires HTTPS but today I would regard this as a feature, not a bug.

I suspect the completely blind spot to SSL and anything that can be solved in client space is due to major NIH issues with web people rather than anything technical.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds