Barry Warsaw writes:
On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:
You cannot login using OpenID to most interesting popular sites. GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
I'd be surprised if you ever saw the big social networking sites support OpenID or Persona. They want to own that space themselves, so probably have no business incentive to support 3rd party systems.
Quite the reverse, unfortunately. That's why *those* sites *all* appear on most sites that support OpenID. They're not going to delegate to each other until they are forced to.
We're open source, and I think it benefits our mission to support open, decentralized, and free systems like OpenID and Persona.
Thus speaks an employee of yet another Provider-That-Won't-Accept-My- Third-Party-Credentials. Sorry, Barry, but you see the problem: Unfortunately, we can't do it alone. What needs to happen is there needs to be a large network of sites that support login via O-D-F systems like OpenID and Persona. Too many of the sites I use (news sources, GMail, etc) don't support them and my browser manages my logins to most of them, so why bother learning OpenID, and then setting it up site by site? I'm not against it, but it's quixotic (and therefore valuable). One reason that OpenID and Persona fail to achieve penetration is that they overstate their mission. A protocol that any email provider can support is a protocol that provides authentication without identification (imagine what havoc Dogbert could wreak with his own Persona provider), and therefore cannot be used in authorization (except trivially). Think ident (port tcp/113). And most general- audience sites that want to provide high-quality "Web 2.0" service are going to start by asking for your demographics. It's probably at least as effective as CAPTCHA for classifying mammals and 'bots, too! The reason that the "big" providers can take advantage of these protocols as providers without reciprocating as clients is that identities on these sites are very valuable to at least 95% of people who use them (that may or may not correspond to as much as 50% of the accounts). Losing your Facebook site for abuse of TOS is very costly: you can't even contact your "circle" easily. Nor do you want multiple logins on one of these sites, because that will double the amount of spam they send you. Bottom line: A login via Facebook-provided OpenID means that the login is unlikely to perform random mischief. Of course, those issues are easy to deal with if you have even a bit of Internet savvy. So sites still have to worry about a deliberate attack from a Facebook user, but a serious intruder has many ways to get in the front door, so you need to lock up your Waterford crystal and Noritake china anyway whether you support global ID logins or not.