Sunday, April 20, 2008

Confirmed Site Identity?

Update: based on a recent thread on the OpenID list, George's supposition below about the meaning of the warning is correct, Yahoo attemps to verify the RP through Yadis discovery. If the RP doesn't support the feature, the warning is the result.
----------
Wishlistr is one of the sites that Yahoo! hilites as one that you can use your Yahoo! OpenID to log-in to.

But, when I tried to do so, Yahoo! showed me the following warning


What would Wishlistr need to do to 'confirm its identity' to Yahoo such that users wouldn't see this (likely enthusiasm killing) warning?

If the warning just reflects OpenID's default trust model, why is Yahoo! giving the impression that something better (in the sense of not causing scary warnings) might be possible through Wishlistr undergoing 'site identity confirmation'?

Tags: ,

6 comments:

Michael said...

Hey Paul,

I feel your pain cause I have the same problem with my site - did you find out what to do?

Cheers,
Michael

hacker said...

Michael, I think the problem with the warning is not, actually, how you confirm your site with Yahoo, but how it is put. I'm afraid it discourages the use of OpenID as such.

Paul Madsen said...

yes to hacker, I'm not trying to get any one site to work with Yahoo!. Rather that, were I a user, the warning would make me think that Wishlistr had not availed itself of an available 'trusted site verification' process. But, I suspect the warning is just Yahoo!'s (poor) explanation of the OpenID reality, i.e. that, despite Wishlistr appearing in Yahoo!'s OpenID Gallery, Yahoo! doesn't really 'know' Wishlistr (unlike the case were Wishlistr using BBAuth)

see http://developer.yahoo.com/auth/appreg.html
for the difference

paul

Michael said...

Thanks guys - so we'll just have to live with that. That wording is definitely improvable...

practicalid said...

One of the features of OpenID 2.0 is that you can "verify" the relying party by doing XRDS "discovery" of the relying party's return_to endpoint. I know that yahoo implemented this feature. It may be that the site is not exposing it's return_to endpoint via XRDS and so the Yahoo OP can't "verify" the RP.

jduffone said...

Andrew Arnott wrote up a nice piece.

http://blog.nerdbank.net/2008/06/why-yahoo-says-your-openid-site.html