Microsoft Joins the OpenID Foundation

wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)

Re:Color Me Confused

[Leynos]

This is still a useful development. I can now allow MSN Messenger using friends to read my friends-only livejournal posts without having to ask them to sign up for LiveJournal or OpenID (which most people outside of geekdom will not have heard of)

Tinfoil Hat

[krgallagher]

"So, how long before I can use my OpenID to post on Slashdot?"

So how long before governments require OpenID to eliminate internet anonymity?

Misleading summary.

[blowdart]

You don't have to join the OpenID foundation to become an OpenID provider. Funnily enough Microsoft did join; but in Feburary [microsoft.com].

But as I ranted [idunno.org] on my blog, becoming a provider is useless these days; allowing authentication using OpenID would be far more impressive.

Re:Color Me Confused

[Zebedeu]

Exactly, and this half-functionality is why this move undermines OpenID and what it stands for.

You see, OpenID still works, but it works *better* if you use Microsoft's version. Soon enough you'll find that everyone's reaching for those MS ids just to remain compatible, and MS will get what they couldn't with their Passport scheme, or LiveId or however it's called these days.

It's the same embrace, extend, extinguish bullshit again, and in my opinion, the community should just reject these MS-provided ids until they learn to play ball.

Re:Color Me Confused

[HungryHobo]

I just don't get the point of this. I go to a website and there's a little note *You can use your openid here!* and I sign in with it. but wait! it was a trick, they grabbed my username and password, now they have my openid login.

Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

The cynical me

[Jeff Hornby]

While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary

The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.

Re:Color Me Confused

[cparker15]

"This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer.

Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

Re:Color Me Confused

[Blakey Rat]

OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

The idea is bad in the first place. The fact that numerous large .coms are OpenID *providers* but don't accept OpenIDs from other providers is only a symptom of the problem. I started thinking about this when reading suggestions for the new StackOverflow.com programming site.

The problem is that when you use OpenID to log in to a website, you now rely on two sites to be up and running: the OpenID provider, and the site you're logging on to. If your OpenID provider decides OpenID isn't worth their time and cancels the service, you're SOL-- there's no way to log on to the site, and any data you've put on that site is lost forever.

There's no way to "transfer" an OpenID between different providers, nor is there any way to "combine" multiple OpenIDs into a single OpenID (for example, combining LiveJournal's and Yahoo's so you can log on to the site with either.) Without that functionality, my data is being held BOTH by the site I'm entering it into AND by Yahoo/LiveJournal/whatever.

The top suggestion for StackOverflow.com is to allow people to entire multiple OpenIDs for a single account, in case one of their OpenID providers goes down. I pointed out that this is a terrible idea, because knowing human nature, nobody will bother to enter a second OpenID until the first fails, and once the first fails they can't authenticate to enter the second anyway. If StackOverflow.com just had its own login system, it would avoid all these OpenID-related issues.

Don't get me wrong, OpenID is great for sites where you want to authenticate, but you won't be storing any data on the site. For example, reading an article at the New York Times. But for any application where you're storing data, tying it to OpenID is a huge mistake.

Anyway, the saddest thing is that Microsoft's Passport lets you merge IDs, so it's actually better-implemented than OpenID.

(P.S. I know you can buy a Dreamhost account and a domain name and become your own OpenID provider which resolves all these issues. But if you want people to use the system, you need to make it usable by normal, average human beings. OpenID isn't.)

Re:OpenID Concept still has issues.

[internerdj]

Yeah but I can't trust myself either. Who knows how many accounts I have. I don't. Ok so most follow the same general scheme but then you get the outliers who won't accept a normal scheme so you have to have a unique password for their site. There are several accounts I don't even bother to guess I just use the magic questions to log in. Wow you must either know my password or some semi-private information about me to get into say my mortgage accounts or my retirement accounts. I would welcome an entity that would let me have a single login but customer service to reset my password. But I also will have to be convinced it is techologically sound to do that without handing out my info right and left.

Re:Color Me Confused

[MindKata]

OpenID also allows more easily data mining what someone says and does on different web sites, which is a dream come true, for all data miners.

So once most people start to use OpenID, then all governments have to do, is pass a law, to either requiring them to know your OpenID, or for them get your OpenID by any other means, and then that's all they need, to workout everything you have ever said online. OpenID is one step away from removing most anonymity on the Internet. This news fits in with the other Slashdot news today, about the Internet Human Rights PR smoke screen...
http://it.slashdot.org/comments.pl?sid=1011555&cid=25554573 [slashdot.org]

Plus as people in power always seek power, then what they fear most, is the loss of power. So to them, finding out what people are saying is very important. (I.e. Knowledge is power). So one of the first things the some of the ones in power will do, is use widespead usage of OpenID to allow them to finding out every political view people post about them online.

To big businesses and governments, OpenID isn't about convience of easy logins. OpenID to them, is about data mining and so it makes sense Microsoft would want to play along with that goal.

Re:Color Me Confused

[ChrisA90278]

"At no point does the accepting site get your user name and password. You can verify this by looking at your address bar."

I bet I could get thousands of user name/password combos be putting up a web page that simply asked users to enter their user name and password. They call this "phishing". It would work.

Using any kind of login that is shared over multiple places is always not-secure. Best practice is to compartmentalize potential damage. So that if some one figures out my password for (say) this website they can't then get into my bacnk account and email. If common logins do become popular then "phishing" will become very popular.

Re:Color Me Confused

[Blakey Rat]

That's getting to a solution, but it's still far too difficult for the average person to do. And, if I'm understanding correctly, it actually makes your data held by THREE servers now:

1) The server you're trying to log into
2) The server hosting your "delegation" page
3) The server providing the OpenID

Someone correct me if I'm understanding this wrong.

Re:The cynical me

[Skapare]

The community embraces OpenID with the same zeal they would embrace OpenTeleMarketing.

Re:Color Me Confused

[aztracker1]

I have a simple solution for you... banking sites aren't likely to *ever* accept openid as a login method. However, for entering comments on a blog you've never been to before, and may never see again, or various other sites, it's a godsend. Not having to create a login, wait for an email, so you can validate your address, then go into the site again, just to put a comment of "thanks" on a blog entry that helped you to do something you were looking for is a nice thing.

OpenID imho isn't an end-all be-all solution for anything that needs to be super-secure, or imho anything dealing with money. It is a great idea for sites you haven't been to, may not return to, and don't really care about, when you need short-term access.

Re:Color Me Confused

[Raenex]

You can have more than one OpenID. Sites can still allow anonymous posting.

Besides that, there's an even bigger id that most people are tied to and don't even think about -- their IP address. How much data flows through your ISP? Talk about single points of failure. People also tend to have one email address and don't use encryption.

If you are concerned about government-thwarting privacy then you have to take active measures to gain it. OpenID is no more of a problem than any of the other things I have mentioned. On the other hand, if you don't care about people tracking your blog postings -- or maybe you want an identity -- OpenID is great.