Friday, December 01, 2006

A poor description of OpenID has added OpenID support.

Their single-line description of what OpenID provides is going to scare (or a least confuse) some.Most user already sign-in to different sites with the same password. Is 'safely' sufficient distinction?

The 'Get an OpenID' link goes to MyOpenID, the URL parametrized by an affiliate ID. Playing around with different values for this gives an interesting sense of who is using OpenID. Such an open and accessible listing of SSO partners creates for me a uneasy feeling though.


Anonymous said...

We will probably disable random browsing of the affiliate list at some point, but why does that list leave you with an uneasy feeling? Our OpenID site directory is a much more open and accessible list, but I haven't heard anyone express unease at that, nor at the similar lists on OpenID-related wikis or bookmark collections.

Paul Madsen said...

Kevin, a listing of all sites supporting OpenID is far different than an IDP's specific listing of "sites I assert identity to'. The first tells an attacker nothing about the connections by which they might jump between providers (should they compromise an identity at an IDP) - the second is like a FOAF file for provider relationships.

Anonymous said...

But an OpenID provider asserts identity to all OpenID-enabled relying parties. Sure, we'll probably be handling a greater-than-average portion of the accounts at our affiliate sites, but you can still log in using an OpenID from another provider on them. Likewise, you can use an OpenID from MyOpenID to make assertions to sites that aren't our affiliates.

It's not really significantly more likely that a MyOpenID account holder will use it with two of our affiliates than it is that they will use it with any two sites on any list of Most Popular OpenID sites.