[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-general
Subject: Re: [OpenID] "Nightmare" article on OpenID
From: "Salvatore D'Agostino" <sal () idmachines ! com>
Date: 2010-11-19 14:08:36
Message-ID: 01b801cb87f3$42699710$c73cc530$ () com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Very good suggestion, the local identifier/mutual registration point is one
that needs effort, I would be glad to talk about some approaches here from
the physical access control
Sal D’Agostino
@IDmachines
http://idmachines.blogspot.com
From: openid-general-bounces@lists.openid.net
[mailto:openid-general-bounces@lists.openid.net] On Behalf Of Steven
Livingstone Pérez
Sent: Friday, November 19, 2010 3:31 AM
To: general@openid.net
Subject: Re: [OpenID] "Nightmare" article on OpenID
I think most of that article was about issues in not properly developing a
web application to use there's technologies rather than issues with the
technologies (though I'd acknowledge things could be improved... though they
haven't stopped me).
Perhaps it would be useful to have stater/primer architecture patterns and
coding practices for working with OpenID in the real world. Everything from
how to sport OP downtime to local identifiers.
Steven
http://livz.org
_____
Date: Fri, 19 Nov 2010 00:22:54 -0800
From: sknvn-openid@yahoo.com
To: general@openid.net
Subject: Re: [OpenID] "Nightmare" article on OpenID
Another very important point he raised is about the uptime. He was very
happy with RPX until it went down a few times.
Essentially any time an OP has a downtime, RP is going to be down. Since
there is no contract between RP and OP there is no SLA. The other issue is
that different OPs will have very different uptime. So there is almost no
way for an RP to deal with hundreds of OPs and one or the other may be down
at any given time. A user may select an OP that is very unreliable and not
be able to login to RP site.
Banks often have maintenance in the night and they may be down (as that is
normal for them) every few days.
I don't see any easy solution to this as you are outsourcing your
authentication. The other issue related to this and that rarely gets much
attention is about the account recovery. If somehow user is unable to
recover his account at OP, there has to be a way for any RP to allow them to
recover their account at RP site. This is a must if a user has paid for a
service.
Thanks
Naveen
_____
From: Johannes Ernst <jernst+openid.net@netmesh.us>
To: List OpenID <general@openid.net>
Sent: Thu, November 18, 2010 9:19:57 PM
Subject: Re: [OpenID] "Nightmare" article on OpenID
On Nov 18, 2010, at 16:11, Allen Tom wrote:
The author raises many important issues for consumer oriented websites that
are trying to accept 3rd party logins, and I think we as a community should
listen and take the author's feedback very seriously.
I strongly agree with Allen.
Even if the author was all wrong (he isn't -- I've run into some of the same
issues) it clearly indicates that there is a lot of work to be done, at the
very minimum documenting everything so well that few people can get it
wrong. Nothing is a faster way into irrelevance than claiming the customer
is wrong.
Specially:
1) Directed Identity / PPID (Pairwise Pseudonmous identifier) /
non-correlatible RP specific identifier - is great in theory, but does not
provide enough value to most RPs to justify implementing OpenID.
Some people may remember me arguing "what about customer service" so many
years back. If I can't tell my identifier to the customer service guy on the
phone, how is it ever going to work? Amusingly, this article refers exactly
to that use case
PPID identifiers have no history, no data, and no reputation - why would any
RP want this? Also, as the author pointed out, changing the PPID based on
the realm/return_to means that RPs will "lose all their users" if they ever
switch their domain/realm. There are many valid reasons why RPs would want
to have multiple realms/domains, or to change them around.
2) username@provider identifiers are necessary for users to contact the RP
via customer support and other out of band mechanisms. For all practical
purposes, the email address is really required.
If the user remembers their e-mail address but not anything else (like URL),
that's a tautology.
3) We often talk about OpenID's value to end users, but we don't talk enough
about giving value to RPs. The main hurdle to OpenID adoption is that RPs
don't see enough value in OpenID, especially relative to other proprietary
alternatives.
For a really harsh critique of OpenID, I highly recommend reading Yishan
Wong's (ex Facebook/Paypal) tirade against OpenID on Quora:
http://www.quora.com/What-s-wrong-with-OpenID
Allen
On Wed, Nov 17, 2010 at 4:01 PM, Bill Shupp <hostmaster@shupp.org> wrote:
http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened
_______________________________________________
general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________ general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head> <META HTTP-EQUIV="Content-Type" \
CONTENT="text/html; charset=iso-8859-1"> <meta name=Generator content="Microsoft Word \
12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);} o\:* \
{behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><div><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Very good \
suggestion, the local identifier/mutual registration point is one that needs effort, \
I would be glad to talk about some approaches here from the physical access \
control<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Sal \
D’Agostino<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>@IDmachines<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a \
href="http://idmachines.blogspot.com">http://idmachines.blogspot.com</a> \
<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div \
style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p \
class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
openid-general-bounces@lists.openid.net \
[mailto:openid-general-bounces@lists.openid.net] <b>On Behalf Of </b>Steven \
Livingstone Pérez<br><b>Sent:</b> Friday, November 19, 2010 3:31 AM<br><b>To:</b> \
general@openid.net<br><b>Subject:</b> Re: [OpenID] "Nightmare" article on \
OpenID<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p \
class=MsoNormal style='margin-bottom:12.0pt'><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>I think most of that \
article was about issues in not properly developing a web application to use there's \
technologies rather than issues with the technologies (though I'd acknowledge things \
could be improved... though they haven't stopped me).<br><br>Perhaps it would be \
useful to have stater/primer architecture patterns and coding practices for working \
with OpenID in the real world. Everything from how to sport OP downtime to local \
identifiers.<br><br>Steven<br>http://livz.org<o:p></o:p></span></p><div \
class=MsoNormal align=center style='text-align:center'><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><hr size=2 width="100%" \
align=center></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Date: Fri, 19 Nov 2010 \
00:22:54 -0800<br>From: sknvn-openid@yahoo.com<br>To: general@openid.net<br>Subject: \
Re: [OpenID] "Nightmare" article on \
OpenID<o:p></o:p></span></p><div><div><p class=MsoNormal \
style='margin-bottom:12.0pt'><span \
style='font-family:"Arial","sans-serif"'><br>Another very important point he raised \
is about the uptime. He was very happy with RPX until it went down a few times. \
<br>Essentially any time an OP has a downtime, RP is going to be down. Since there is \
no contract between RP and OP there is no SLA. The other issue is that different OPs \
will have very different uptime. So there is almost no way for an RP to deal with \
hundreds of OPs and one or the other may be down at any given time. A user may select \
an OP that is very unreliable and not be able to login to RP site.<br>Banks often \
have maintenance in the night and they may be down (as that is normal for them) every \
few days.<br><br>I don't see any easy solution to this as you are outsourcing your \
authentication. The other issue related to this and that rarely gets much attention \
is about the account recovery. If somehow user is unable to recover his account at \
OP, there has to be a way for any RP to allow them to recover their account at RP \
site. This is a must if a user has paid for a \
service.<br><br><br>Thanks<br><br>Naveen<o:p></o:p></span></p></div><div><p \
class=MsoNormal><span \
style='font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><div><div \
class=MsoNormal align=center style='text-align:center'><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><hr size=1 width="100%" \
align=center></span></div><p class=MsoNormal style='margin-bottom:12.0pt'><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Johannes Ernst \
<jernst+openid.net@netmesh.us><br><b>To:</b> List OpenID \
<general@openid.net><br><b>Sent:</b> Thu, November 18, 2010 9:19:57 \
PM<br><b>Subject:</b> Re: [OpenID] "Nightmare" article on \
OpenID<br><br></span><o:p></o:p></p><div><div><p class=MsoNormal>On Nov 18, 2010, at \
16:11, Allen Tom wrote:<o:p></o:p></p></div><blockquote \
style='margin-top:5.0pt;margin-bottom:5.0pt'><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The author raises many \
important issues for consumer oriented websites that are trying to accept 3rd party \
logins, and I think we as a community should listen and take the author's feedback \
very seriously.<o:p></o:p></p></blockquote><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I strongly agree \
with Allen.<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Even if the author \
was all wrong (he isn't -- I've run into some of the same issues) it clearly \
indicates that there is a lot of work to be done, at the very minimum documenting \
everything so well that few people can get it wrong. Nothing is a faster way into \
irrelevance than claiming the customer is wrong.<o:p></o:p></p></div><blockquote \
style='margin-top:5.0pt;margin-bottom:5.0pt'><p \
class=MsoNormal><o:p> </o:p></p><div><p \
class=MsoNormal>Specially:<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>1) Directed \
Identity / PPID (Pairwise Pseudonmous identifier) / non-correlatible RP \
specific identifier - is great in theory, but does not provide enough value to most \
RPs to justify implementing OpenID.<o:p></o:p></p></div></blockquote><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Some people may \
remember me arguing "what about customer service" so many years back. If I \
can't tell my identifier to the customer service guy on the phone, how is it ever \
going to work? Amusingly, this article refers exactly to that use \
case<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p \
class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>PPID identifiers have no \
history, no data, and no reputation - why would any RP want this? Also, as the author \
pointed out, changing the PPID based on the realm/return_to means that RPs will \
"lose all their users" if they ever switch their domain/realm. There are \
many valid reasons why RPs would want to have multiple realms/domains, or to change \
them around.<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2) \
username@provider identifiers are necessary for users to contact the RP via \
customer support and other out of band mechanisms. For all practical purposes, the \
email address is really required.<o:p></o:p></p></div></blockquote><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If the user \
remembers their e-mail address but not anything else (like URL), that's a \
tautology.<o:p></o:p></p></div><blockquote \
style='margin-top:5.0pt;margin-bottom:5.0pt'><p \
class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>3) We often talk about \
OpenID's value to end users, but we don't talk enough about giving value to RPs. The \
main hurdle to OpenID adoption is that RPs don't see enough value in OpenID, \
especially relative to other proprietary \
alternatives. <o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For a really \
harsh critique of OpenID, I highly recommend reading Yishan Wong's (ex \
Facebook/Paypal) tirade against OpenID on Quora:<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a \
href="http://www.quora.com/What-s-wrong-with-OpenID" \
target="_blank">http://www.quora.com/What-s-wrong-with-OpenID</a><o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal>Allen<o:p></o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>On Wed, Nov \
17, 2010 at 4:01 PM, Bill Shupp <<a \
href="mailto:hostmaster@shupp.org">hostmaster@shupp.org</a>> \
wrote:<o:p></o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><a \
href="http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened" \
target="_blank">http://blog.wekeroad.com/thoughts/open-id-is-a-party-that-happened</a><o:p></o:p></p></div><p \
class=MsoNormal><o:p> </o:p></p></div><p \
class=MsoNormal>_______________________________________________<br>general mailing \
list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br><a \
href="http://lists.openid.net/mailman/listinfo/openid-general" \
target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><o:p></o:p></p></blockquote></div><p \
class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br>_______________________________________________ \
general mailing list general@lists.openid.net \
http://lists.openid.net/mailman/listinfo/openid-general \
<o:p></o:p></span></p></div></body></html>
_______________________________________________
general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic