LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Open-ID

Open-ID

Posted Jan 11, 2013 15:59 UTC (Fri) by kleptog (subscriber, #1183)
In reply to: Non-iterated by dlang
Parent article: An analysis of Debian wiki security breach

Getting Django to work with OpenID is trivial, there's are modules for it.
I used django_openid-consumer and I got it working in an afternoon, and I wasn't even using the integration.

So I think, yay, don't have to deal passwords, lost passwords, changing password, encrypting passwords, etc. And then I get people complaining that they don't want to use OpenID because it lets the provider know that you're logging in, and so they asked for username/password mechanism.

What's a developer to do in this situation? People can set up their own provider, but no. The set of people who don't trust OpenID providers and don't want to setup their own is apparently larger than I thought.

(Log in to post comments)

Open-ID

Posted Jan 11, 2013 16:49 UTC (Fri) by pboddie (subscriber, #50784) [Link]

To be fair, OpenID is a well-trodden path (unlike various other technologies that shall remain nameless), and there appear to be plenty of OpenID solutions, although many of them seem to rely on the same set of fundamental libraries, so that doesn't mean that the technology is necessarily well-understood even if the amount of common experience is considerable.

Sadly, like everything else, the original simple idea has raced away leaving a lot of people to abandon the idea of running their own provider, and it also doesn't help that people who supposedly accept OpenID sometimes reject identities from providers other than the big names because, paraphrasing one explanation I heard at one point, "you can't trust providers you've never heard of before". Obviously, OpenID is just about the identity and not whether that identity can be trusted with anything - something a Google-minted identity isn't going to help you decide anyway. And let us not consider the expanding interoperability matrix and all its accompanying problems.

I think we're going to see a lot more discussion around trust and decentralisation - for example, whether it is prudent to delegate any control over one's identity either by using a big-name service or by running one's own Internet-resident service on someone else's server - as people begin to question the centralised nature of their Internet interactions.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds