[Python-Dev] Offtopic: OpenID Providers

Stephen J. Turnbull stephen at xemacs.org
Fri Sep 6 03:09:26 CEST 2013

Barry Warsaw writes:
 > On Sep 06, 2013, at 12:36 AM, Oleg Broytman wrote:

 > >   You cannot login using OpenID to most interesting popular sites.
 > >GMail? No. Twitter? No. Facebook? FriendFeed? identi.ca? No, no, no.
 > I'd be surprised if you ever saw the big social networking sites support
 > OpenID or Persona.  They want to own that space themselves, so probably have
 > no business incentive to support 3rd party systems.

Quite the reverse, unfortunately.  That's why *those* sites *all*
appear on most sites that support OpenID.  They're not going to
delegate to each other until they are forced to.

 > We're open source, and I think it benefits our mission to support open,
 > decentralized, and free systems like OpenID and Persona.

Thus speaks an employee of yet another Provider-That-Won't-Accept-My-
Third-Party-Credentials.  Sorry, Barry, but you see the problem:
Unfortunately, we can't do it alone.  What needs to happen is there
needs to be a large network of sites that support login via O-D-F
systems like OpenID and Persona.  Too many of the sites I use (news
sources, GMail, etc) don't support them and my browser manages my
logins to most of them, so why bother learning OpenID, and then
setting it up site by site?

I'm not against it, but it's quixotic (and therefore valuable).

One reason that OpenID and Persona fail to achieve penetration is that
they overstate their mission.  A protocol that any email provider can
support is a protocol that provides authentication without
identification (imagine what havoc Dogbert could wreak with his own
Persona provider), and therefore cannot be used in authorization
(except trivially).  Think ident (port tcp/113).  And most general-
audience sites that want to provide high-quality "Web 2.0" service are
going to start by asking for your demographics.  It's probably at
least as effective as CAPTCHA for classifying mammals and 'bots, too!

The reason that the "big" providers can take advantage of these
protocols as providers without reciprocating as clients is that
identities on these sites are very valuable to at least 95% of people
who use them (that may or may not correspond to as much as 50% of the
accounts).  Losing your Facebook site for abuse of TOS is very costly:
you can't even contact your "circle" easily.  Nor do you want multiple
logins on one of these sites, because that will double the amount of
spam they send you.

Bottom line: A login via Facebook-provided OpenID means that the login
is unlikely to perform random mischief.

Of course, those issues are easy to deal with if you have even a bit
of Internet savvy.  So sites still have to worry about a deliberate
attack from a Facebook user, but a serious intruder has many ways to
get in the front door, so you need to lock up your Waterford crystal
and Noritake china anyway whether you support global ID logins or not.

More information about the Python-Dev mailing list