1. I noticed that you had started using OpenID and had just been listening to a podcast about it so I thought it would be a good thing to look at. You are right about it being complicated to implement! I went to the official OpenID website and came away more confused than ever. I still don’t know how to get an OpenID ID.

   As for getting rid of comment spam; what’s to stop a spammer creating lots of OpenID accounts (?) and using them? I don’t see OpenID as stopping spam or even going some ways towards building trust. Everything that is out there will be abused (look at MyBlogLog) and OpenID will probably go the same way. Still, if it helps legitimate users to comment on blogs then at least that’s something.

2. Where did you get the openID plugin? Was it easy to install?

3. I believe he got it from here:

   http://verselogic.net/projects/wordpress/wordpress-openid-plugin/

   Great plugin and very easy to install.

4. I believe he used the plugin here:

   http://verselogic.net/projects/wordpress/wordpress-openid-plugin/

   Its a great plugin and really easy to install/use.

   Great article and excellent points … we’re no where near where we need to be and this thing is going to take time but we’re (hopefully) getting closer all the time.

5. Mike,

   If an IDP came out that required some identity authentication (say, a CC verification) you could implicity trust that IDP. Any comments from *.trustedidp.com would be a heck of a lot closer to spam-free. You’re right that OID doesn’t provide that, but it provides a mechanism which COULD be more trusted.

   I installed the below-mentioned verselogic OpenID plugin. It wasn’t as easy as it should be IMHO but it wasn’t hard.

6. Mike Empuria here (see first post). I’ve created an OpenID account and I’m signing in to see what happens (sorry Shoe but I have to test somewhere). I can already see one SEO downside that will make SEOs not want to use this!

7. lol its all good

8. Mike, I see what you’re suggesting. I /think/ that would be fixed with a better implementation.

9. “Hackish implementations.” … I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker. Wouldn’t local user accounts still exist but with an OpenID assigned to them as an alternative to the normal login option? You would still need to validate the user’s email address etc… in case the user’s implementing a fake identity server.

10. I’m surprised that you didn’t include phishing in your list of negatives. As far as I know, no one’s been able to come up with a satisfactory solution yet without some custom client side software.

11. Typekey doubles as an openid
    profile.typekey.com/username

12. I’m getting sick of this FUD over OpenID. It has THE SAME “TRUST” AS EMAIL BASED AUTHENTICATION. The only differences are:

    1. You can change your provider at any time but keep your same openID (a plus)
    2. They can’t send you anything (another plus).

    YOU manage your authentication. They don’t need to send you password resets etc. They don’t have an email address to sell to a thrid party, or to spam you with their product “newsletters”. OpenID is BETTER than email based account management.

    The only true con is that you REQUIRE a website (1 page) to use one.

    1) It is (as yet) too complicated for average website owner to implement.

    Uh.. you paste a line of html into your index page.

    2) The security implications of this type of cross-site authentication haven’t been fully explored.

    It’s as secure as email as a login mechanism. If your webserver is compromised you lose. If you email server is compromised you lose. How is this any different?

    3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    4) Too confusing to users. “OK I want an OpenID. Wait..what is myopenid? Is that different from GetOpenID? Do I need to get an OpenID on all of them?�

    This is called RTFM. Put “openid” into any search engine and there’s your answer. If someone knows enough about OpenID to want one, they will be able to find out how to get one.

    5) Hackish implementations. For example, the wordpress plugin actually creates a local wordpress users behind the scenes. In my opinion, this is an unacceptable hack.

    This has nothing to do with OpenID as a standard. Just the quality of the particular plugin you’re looking at.

    6) Lack of implicit strong authentication. An OpenID login is really only as strong as the identity providers authentication. OpenID probably should never, and will never, be used for financial logons for this reason. The flip-side is that if an IDP provides strong auth, then the OpenID is as secure as that link in the chain.

    Your “security” on financial sites is only as secure as the email address you associate with it. Your online banking security is only as secure as your email account.

    Just as with email, you can be your own provider. There is no requirement to EVER trust a third party.

    The ONLY WAY to compromise an OpenID account is to either compromise the webserver hosting the link to the provider, or to compromise the provider. If your email server gets compromised its the SAME RESULT.

13. […] Want an OpenID? Get one here Comments […]

14. test

15. OpenID doesn’t necessarily provide trust.

    It isn’t designed to: its goal was to be an identification system. Once you ID someone you can choose whether to trust them or not (or choose to trust some providers more than others).

16. Too complicated.

17. Been using openID for ages now and really would wish for open adoption. What if it were supported in phpBB? One log in for all my forums…

18. […] is decentralized, any website can employ OpenID software as a way for users to sign in.”read more | digg story Bookmarking Links: These icons link to social bookmarking sites where readers can […]

19. […] 11 Reasons why OpenID rocks/sucks […]

20. I hadn’t found this that hard to implement. Though it took a second to work out that there are both OpenID servers out there you can use, or you can create your own.

21. I just signed up for openid on my open id.. we’ll see how I like it.

    Nice writeup though.

22. Can you think of a better option than creating local user accounts for people leaving comments? That’s how just about every other interactive commenting platform works, apart from anonymous stuff. The fit seemed obvious to me, but hey, I’m open to hearing alternate proposals.

23. […] 11 Reasons Why OpenID Rocks/Sucks – […]

24. you are a moron. security is as good as the idp implements and the user is willing to futz with, no more and no less. your other points may or may not apply.

    implementation would be a lot easier if the docs didnt suck. in particular, /w openid 2.0 no one has any fucking clue what XRI is nor why we need yet another naming scheme. i get that pasta meeting the wall feeling.

25. 3) OpenID doesn’t necessarily provide trust. Theres nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider. This is the chink in the armor of the decentralized system.

    Yes there is. You don’t link to the fake Mark Cuban’s provider in your page. It’s as simple as that. What’s to stop someone from making a fake email address claiming to be you?

    By default you would think that you accept *any* openid provider, surely spammers will be starting up their own providers which will require site to start white listing or black listing openid providers.

26. yeah i think i will try it out now

27. OpenID is a great start. I think people are expecting a new identity system to solve all issues immediately. Let’s just get started with OpenID and let the future decide how it evolves. I don’t mind reimplementing newer versions as the spec improves.

28. testing

29. so, if i want to be mr smart and nice on digg under the username Ty420, but a noob flamer on shoemoney, ppl will know me? like were all friends?
    and i thought nsa spying was too much
    forget this, let me keep invididual personalities and names for each site i go to. u spy !

30. They need a better capthca. The one they have now sucks.

31. I tried to sign up here with my openid and it kicked me back for some reason. Anyways, the captcha on the openid site needs improvement. It sucks.

32. just testing out the OpenID login

33. No, you’re right. The thing is I should have elaborated more. My point was actually that if an implementation isn’t complete, the results per-site will sick. BTW, shoot me an email, theres an issue with your plugin that should probably be fixed.

34. Wow, all that work, and not a single valid point. Sad.

35. The question isn’t whether or not it is designed to. The question is SHOULD it?

36. Anybody who logs with the open id ‘http://www.techmag.biz/thejeshgn’ is me. And they can know about me on the same page.

    This is another use of open id. Use openId delegation method and use your profile page or about page as your open id.

37. I don’t get your comment about local accounts… every CMS out there has some notion of users, usually an entry in a ‘users’ table. How this account is instantiated and used doesn’t matter except for the log-in. From that point on, you use a regular session cookie and keep all session data on the local server.

    OpenID just helps you identify the user and do the log-in. Local accounts, whether a complicated object, or just a row in a database, are a necessary mechanism for doing any sort of user interaction on the site. For example, if you want to do OpenID attribute exchange, you’ll want to cache the attribute values locally for speedy access. OpenID includes a clear flow for the propagation and refreshing of such cached values.

    In Drupal (drupal.org) for example, the authentication is cleanly pluggable and local accounts are tied to the OpenID using a standard API mechanism. Perhaps you mean to say that the WordPress plug-in leverages some code to mimic a real account creation a by a user in a less than kosjer way, but that’s no reason to dismiss local accounts.

38. I hope more sites adopt OpenID. What about phishing sites? Is it possible for a website to fake trying to authenticate to ones OpenID server (when it’s actually just capturing ones password)?

39. Easy to get openid, but may take a while to be adopted since only the geeks seem aware of it. Many aol users won’t know what openid is or how to use what they have been given

40. Hope OpenID 2.0 comes out fast with Global logout and attribute quesries, just like SAML and WS-FED.

41. If I have an existing LJ account and a myopenid account, would it be possible to forgo authentication on LJ using my LJ credentials and instead use my myopenid OpenID account?

42. Interesting you should say that since AOL is adopting OpenID

43. Thats half the point. The site NEVER gets and CANT get your password. You enter your OpenID, the site checks with your IDP, you approve it via the IDP if you’ve never done it, and the IDP passes back “OK”. It doesn’t pass any more information than that.

44. […] ShoeMoney gave us five (5) reasons why OpenID rocks and six (6) reasons why it sucks. […]

45. Hi All,

    There’s a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It’ll be an open forum so anyone can ask questions. If you’re interested in showing up, check out http://www.idcast.org (site is being put up today).

    Hopefully I’ll see some of you there!

46. I don’t see how OpenID prevents comment spam : just create 10000 accounts, start spamming, done.

47. I think OpenID will catch on now people like LiveJournal are using it.

48. You should add:

    6: convenience, it’s very quick and easy to post comments on forums, blogs, web2 sites now. No email back-and-forth is needed, no permenant registration.

    7: You don’t have to give your email address out to authenticate,

    8: Guarenteed username. Nobody else can preregister my domain or pretend to.

49. test

50. […] Reasons Why OpenID Rocks/Sucks Filed under: Uncategorized — recar @ 1:13 pm 11 Reasons Why OpenID Rocks/Sucks OpenID is something I have been hearing more and more about. This article points out some really […]

51. […] 11 Reasons Why OpenID Rocks/Sucks – ShoeMoney […]

52. hello ım ahmet,from,türkish,ım,staying,in,nusaybin,and,ım,live,in,nusaybin.ım,want,to,speak,english,very well thanks yourfor,english nice to meet you see your later by

53. im 50/50 about openID at the moment although i spent most of the night playing around with it. I look forward to more implementation of openID on the global interweb

54. Have a little “for dummies” video about OpenID on my blog.

55. OpenID rox. “test” comments sux.

56. I can’t wait for OpenID to become popular

57. […] 11 Reasons Why OpenID Rocks/Sucks The best summary I’ve seen so far. Short and sweet. It’s not exactly a walk in the park to implement/integrate that’s for sure. (tags: openid) […]

58. This is the same issue that many organizations implementing enterprise single sign on have to deal with. Applications almost always have a concept of a local account that maintains entitlements, history, etc. OpenID simply provides a global namespace and authentication method, and does nothing for authorization or other account management issues.

59. What would be great is if mainstream sites like Yahoo!, HotMail and AOL supported it.

60. Seems like OpenID is a good idea (posted this to test my id).

61. […] 11 Reasons Why OpenID Rocks/Sucks – ShoeMoneyâ„¢ We’re investigating implementing OpenID in Synthasite. Some interesting views from Jeremy. […]

62. Hello Jeremy,
    it´s god to see that you are one of the early adopters who has implemented OpenID on his site and if this comment shows up, it works great :).
    I would like to spread the word about this emerging technology and have submitted your site to “The OpenID Directory“. I hope this is fine for you.
    Thanks and congratulations!
    Thomas Huhn

63. Sorry for the noise, just another newbie OpenID test. Meant to do soemthing about this before and now, thanks to you, I have. Cheers!

64. I’m sure there was a valid point in there somewhere.

    The big issue is lack of trust, as such OpenID is useless for stopping comment spam. Since anyone can set up as an OpenID provider. As witnessed by the “test” messages in response to this post.

    Indeed email authentication is probably better, as we already have established ways of blocking email from many spammers.

    Authentication is the first step in any such system. If you can’t tell whether two comments are made by the same person, you can’t learn to trust someone who makes good comments. But yes, we need a simpler (to use) system with some form of trust.

    Of course some of the ease of use is an implementation issue largely, how long before there is a firefox plugin or feature that just fills in the OpenID field for you, just like the password tool does.

    Building trust on the other hand will always require more work, and will go wrong sometimes. Trust requires sophistication, and as con men know, sophistication is often lacking.

65. […] ЗарегиÑ?трировать OpenID иÑ?точник […]

66. […] 11 Reasons Why OpenID Rocks/Sucks – 11 dôvodov preÄ?o je OpenID super/na niÄ? […]

67. I think using your own domain name as openID is better. You can either redirect the auth requests to a service provider or you could as well host it.

68. Just signed up for an ID. Not use if I’d open it up on my forum but for a blog it seems like a good idea.

69. Instead of creating local users, you *could* just use OpenID to verify comment authors. This makes a lot more sense for most blogs with a single author, where the only time visitors need to ever “log in” (via OpenID or otherwise) is to leave a comment.

70. In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts…

71. […] 11 Reasons Why OpenID Rocks/Sucks […]

72. […] Shoe Money: 11 Reasons Why OpenID Rocks/Sucks […]

73. The purpose of OpenID is for authentication only, not authorization. Trust has nothing to do with the former, only the latter.

    But you’re right that many people find implementation too complicated. It doesn’t work on this site, for instance.

74. Sorry about being late to the party. I think there’s a common misconception about what OpenID is and is not. OpenID is an authentication system not an authorization system.

    What’s to stop a spammer from creating their own OpenID server and creating a massive amount of OpenIDs? Nothing. They are perfectly valid OpenIDs.

    What’s to prevent them from using those OpenID to post comments on your site? Well, that depends on you. You decide what forms of authorization information from what trusted providers you’re going to require. Simple example; http://botbouncer.com/ a single strong captcha associated with an OpenID. If botbouncer says that the OpenID has successfully negotiated the captcha and you choose to trust botbouncer you can authorize the user as a ‘real’ person.

    Not requiring some sort of authorization is equvalent to requiring an email address in your signup form and never actually verifying the email address.

    –R

75. Thanks for pointing out that Affiliate programs help clarify what OpenID is and helps sites to refer users to established OIP’s. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

76. I am the affiliate coordinator over at Vidoop and just wanted to mention that we have an affiliate program as well. It is a simple sign up process and is basically the same as myopenid.com’s affiliate sign up. Another point to make is that offering users a few recommendations to a few “good” OIP’s is good practice and let’s them know you are helping them select a reputable OIP. The sign up is at affiliates.vidoop.com

77. In regards to that last reason that OpenID sucks right now:

    The team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID, TrustBearer OpenID.

    We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.

    With our OpenID, you basically just set-up a strong authentication device and then link the device to your OpenID URL.

78. Open ID has confusing documentation, but is not that hard to implement on your site If i can do it a monkey can.. + coffee *sideways glance* . As for the comment about users on wordpress having a local login behind the scenes… would you rather all wordpress’s sensitive information associated with the user be assosicated with the openID, such as a users wordpress internal user id?? what if every site required this? this would fall flat on its face and no one would use open id for fear of revealing internal program structure.

79. Not sure I agree with sucks reason #1.
    phpMyID ( http://siege.org/projects/phpMyID/ ) is pretty easy to set up.
    This blog shows how to set it up for a couple of users.
    http://www.bigsoft.co.uk/blog/index.php/2008/11/16/set-up-and-install-phpmyid

80. good info

81. Open ID is simple, just login one time to all open id network.

82. I love the fact that you can now use you own domain name as your OpenID. I show how to do this with WordPress at paulmyatt.com

83. OpenID delegations solves the problem of managing your own OpenID provider.

    It’s unfortunate that it’s not better known. It’s much easier than setting up even the simplest OpenID provider since it can be done with just static HTML.

    http://blog.woobling.org/2009/05/your-openid-sucks.html

84. […] 11 Reasons Why OpenID Rocks-Sucks […]

85. In fact fascinating thought for me .
    Will you post some a lot more ? coz i desire to follow ur twitter or facebook

86. I don’t know enough about OpenID, so forgive the ignorance of this query, but wouldn’t a local user account be required in most cases? OpenID appears to me to simply be a way of making the user login/registration procedures quicker.

87. Thanks for that post, this really helped me a great deal.

88. […] Update: Reasons it rocks and sucks. […]

89. We’re a gaggle of volunteers and starting a new scheme in our community. Your site offered us with helpful info to work on. You’ve done an impressive process and
    our whole neighborhood can be grateful to you.

90. This article is genuinely a fastidious one it helps
    new internet people, who are wishing for blogging.

Comments are closed.