I'm sorry, I still don't see the advantage of OpenID. Can anyone explain why it's any more convenient than username/password? I still haven't bothered to sign up for StackOverflow because the signup seemed far more complicated than it is for just about any other Web 2.0 site.
When I signed up for StackOverflow, I typed in "http://jrock.us/ as my OpenID, and was finished. No password, no email, no "click this link to confirm your email", etc. If SO gets hacked, they have no useful information of mine. If my OpenID provider gets hacked, I remove a few lines of HTML from my index.html page, and can use a different provider. There is only a tiny window where my accounts can be compromised. Either until I take down the redirect, or the provider itself is taken down.
(Compare this to the Perlmonks debacle, where my plaintext password is now known to the world, and I had to change the password on every website I've ever used. That is what I consider "complicated".)
I wouldn't know where to begin to set that up -- there's the complicated part. Honestly, this should all be built into the browser -- all this web-service stuff is entirely the wrong approach.
I think it is complicated in that you are put in front of so many buttons and choices, whereas before it was one way: username and password.
This is probably the main user friendliness issues with openID. It's made worse by the fact that your Google/yahoo openid is some long URL and that typing in your yahoo/gmail in an openID 1.0 box doesn't redirect you to the login page like an openid 2.0 box.
It's about my ability to have a single ID if I want one.
I feel that my online ID is andrewducker.livejournal.com - it's been the centre of my online social life since 2001, it's where I keep in contact with my distributed friends, where I post things I think about. In a very real way, it's my defining online identity.
And now, thanks to OpenID, I can carry that identity with me to other sites. If I post on Stack Overflow I'm posting as _me_ - not just as whatever user id I happened to get in the gold rush.
That matters to me. If it doesn't matter to you then that's fine. But it's important to me.
In this world, perhaps the less that's directly attributed to you the better off you are.
Your identity is also tied to livejournal. I have no such place that I would want my identity tied to. I could run my own OpenID server or some such thing but that's even more of pain in the ass.
In this world, perhaps the less that's directly attributed to you the better off you are.
Only if you're ashamed of what you say, or are stuck in a place where your views are constantly held against you. Neither of those are true of me, for which I am duly grateful.
You could use a dedicated OpenID provider, like MyOpenID. If you have a simple website or blog where you can edit meta tags in the HTML, then you can delegate. For example, I use my blog as my OpenID, but I don't want to run a server myself, so I delegate to MyOpenID. They handle the heavy lifting, security (I use a private SSL key), and I still get to control my identifier.
See I could do that, yes. But exactly how many steps, how much technology, and how many organizations are between me and the site I'm logging into. It just doesn't seem worth the effort. What's the payoff?
I have no such place that I would want my identity tied to. I could run my own OpenID server but that's even more of pain
You don't need to run your one server. Just get an openId from myopenid.com. Get several. then your ... deniable posts won't be "directly attributed" to the one that's in your real name.
You don't need to invent a brand new password for each site you sign up for, but it's more secure than reusing the same password on every site. The new OpenID+OAuth hybrid protocol described in the linked article greatly improves convenience by allowing a site you are signing in to to request access to e.g. your contact list at the same time - so two clicks and you're logged in and have granted access to further information. http://trendly.com/ is a great example of this flow in action.
It sounds like a solution in search of a problem. I don't really need security for my slashdot account or hacker news.
Now combining with OAuth is interesting, but I don't have a "contact list" anywhere. I don't really have any information that I need (or want) to share between sites. It's definitely a cool option though, so I won't bemoan it's existence. However, I am annoyed at sites that require OpenID without the standard alternative.
OpenID 1.0 was not very useful and 2.0 is supposed to allow you to sign in using gmail, yahoo, etc, but the OpenID libraries (for PHP at least) are buggy in this support.
Without OAuth before i think all you get after authenticating is their OpenID identifier, which isn't much info. The user would still have to provide common profile data like name and email.
So OpenID is really just meant to allow you to have one account to login to all your sites, rather than to make it easier to sign up for new sites.
OpenID 1.0 and OpenID 2.0 both support a thing called "simple registration" (this is before the OAuth work) which lets the site you are logging in to ask the OpenID provider for some basic profile information - email address, nickname, postal code etc - which can then be used to pre-fill the signup form on the site. That's the feature that's meant to make it easier to sign up for new sites, and it's been working for several years now.
The last time I tried implementing OpenID I remembered that this was not a consistent feature in that you cannot guarantee this information from the registrant.
You don't have to type your password as often, remember as many passwords (if you would use different ones for different sites), or keep passwords in sync (if you would use the same password at many sites).
All the sites I visit remember my password. My browser remembers my password on top of that. My browser is synced to all my other browsers, etc.
Given the StackOverflow example, it would take exactly 5 seconds to type in my usual username and unsecure password and start using the site. The whole Open ID thing seems like a hell of lot more work.
I can type those strings in my sleep, what string to do I type in login to an OpenID site? Oh, you mean I have to find that string somewhere? Probably typing in a lot more than 2 strings to sign up for it? Yeah, I thought so.
You might I'm being purposely difficult -- and maybe I am. But I'm an intelligent user, I visit hacker news, etc. Imagine rolling this out to your average web user? Good luck with that.
Why should we let "the average web user" hold everyone else back?
You might I'm being purposely difficult -- and maybe I am.
I'm not, but I agree that you are. Sometimes times change. You are probably one of the people that adds that "Stop HTML Email" ribbon to your mail signature because the first mainframe you used didn't let you send formatted email. It's not 1960 anymore.
Hold everyone back from what? Technology for technology sake? Why do all this? For security? So nobody can hack into my flickr and look at my pictures of my kittens? For convenience? I have to sign up to some completely unrelated service so I can login to your site?
The average web user isn't going to give a crap, and honestly neither do I. And I generally love technology for technology sake.
And don't get me started on how horrible HTML email is... ;)
Your Flickr account security probably matters to you a lot more than you think. Plenty of people thought the security on their Facebook accounts "didn't really matter", then 4chan got hold of a bunch and used them to totally destroy people's reputations with their real-life friends: http://thecoffeedesk.com/news/index.php/2009/08/22/4chan-hac...
You have to sign up for some completely unrelated service to receive the "validate your email" link. So OpenID is nothing new in this respect; you have always had to have an unrelated service to sign up for websites.
The point now is that every site you visit doesn't have to have your password and email.
A lot of Web 2.0 sites don't even bother validating your email anymore -- such as hackernews, reddit, etc. They have a username and password that isn't connected to anything. That works for me.
And I don't have to signup for some completely unrelated service to receive an email -- everybody already has email.
