TechCrunch wrote an article asking if the Big Boys were exploiting OpenID. The crux of the argument was that they are providing OpenIDs, but are not accepting them. In other words, they are an OpenID Provider, but not a Relying Party. John McCrea echos what Michael said, and Jason Kolb and David Recordon also wrote posts — and I agree that it is great that the Big Boys have joined in — but I think it is unfair of Michael and John to expect them to be Relying Parties.
Googles Blogger does take OpenIDs for comments, which as I have stated in the past, is a good use of OpendID. But OpenID still has a ways to go before you can trust it for secure sign on. I would not want to use it for accessing my Yahoo or gmail accounts.
Having said that, there are two things to hold the Big Boys feet to the fire:
- Support Attribute Exchange: Single sign on is nice, but browsers will remember your password for you. (Sxipper does it really well of course!) Filling in forms and keeping your information up to date on servers would be really useful. This goes against the grain of the Big Boys as it makes it easier for users to register on sites other then their own — but it is a real benefit to the user and lowers the registration friction — and it would show that they really want to help the user as opposed to just deepening the silo.
- Advance the OpenID Technology: There are valid reasons for not being an RP for sensitive sites, but we need to advance the technology to overcome them. The Big Boys can direct some of their bright talent to working with the community in general to overcome these issues.
6 comments
March 26, 2008 at 9:59 am
Sébastien Brault
Hi Dick,
It’s very surprising reading from you "But OpenID still has a ways to go before you can trust it for secure sign on."
What do you exactly mean ? Do you mean the protocol is not mature enough, or the implementations of OpenID providers are not strong enough, or ???
Thanks.
Sébastien.
March 26, 2008 at 10:31 am
Dick
The protocol is easily phished. Use of a single identifier presents a bunch of risk.
March 27, 2008 at 6:25 am
Sébastien Brault
Ok, but that’s not an OpenID specific issue, all the authentication protocols (BBAuth, Windows Live ID, AOL OpenAuth) have exactly the same problem.
In an other hand, these other protocols are offered by Big Boys. They offer their protocols to third party web site to authenticate their users, but they don’t accept third party protocols. Hum, not so fair.
March 27, 2008 at 8:13 am
Dick
Not sure which problem you are referring to Sebastien
March 27, 2008 at 8:55 am
Sébastien Brault
You said "the protocol is easily phished".
I understood you said that because the third party website redirect you to the identity provider, it’s easy for him to redirect you to a fake IDP to steal your login/password. Phishing becomes easier with OpenID. Did I misunderstood ?
I said this problem (easy phishing) is the same with other protocols from Big Companies (BBAuth, Windows Live ID, etc.). They are encouraging third party web site to use their protocols but they don’t use it for themselves (they don’t use OpenID at least).
March 27, 2008 at 11:01 am
Dick
The problem is more pronounced in OpenID — but agree it is a common weakness. I was not suggesting the "proprietary" solutions were the right solutions — but they do have many smart engineers that have learned from their own work that could contribute to advancing the tech so that it is more secure.