GCN (Government Computer News) covers OpenID

I had the same thoughts, but not quite as strongly as you.  I think it
shows once again that the difference between OpenID and InfoCards is
not understood.  We might want to reach out to the author (or leave a
comment) about the small number of inaccuracies, but I don't think
that it deserves a post by itself.

--David

On Fri, Sep 25, 2009 at 10:23 AM, Chris Messina <chris.messina@...> wrote:
>
> The article is here:
>
> http://gcn.com/articles/2009/09/28/openid-authentication-for-federal-web-sites.aspx
>
> Unfortunately, it suffers from a number of inaccuracies or misleading
> statements, which may warrant a simple blog post welcoming this
> review, but highlighting some clarifications:
>
> "OpenID is fundamentally a way you can use your browser to
> authenticate to a Web site by using a third-party identity provider,"
> said Drummond Reed, one of the founding board members of the OpenID
> Foundation, which oversees OpenID.
>
>>> Drummond was indeed a founding member of the OIDF, but this quote makes it sound like he's speaking on behalf of the OIDF board, which I don't think was his intention...
>
>
> "For users, the chief appeal of OpenID is that it could provide a
> single name and password combination for a wide variety of sites."
>
>>> This kind of language concerns me — and I've recently heard feedback that the government will be able to "get your Facebook password" if you use OpenID on a government site... while the convenience of this statement is not to be ignored, it should be clarified that one's password is NEVER shared with an OpenID consumer/relying party (or the government!).
>
>
> "The list of consumer Web sites that accept OpenID as credentials is
> growing, even if they lean toward the geeky side: Slashdot, Facebook,
> Google, Technorati, LiveJournal and Yahoo. "
>
>>> Google, Yahoo and Technorati do not accept OpenID credentials, AFAIK. They provide them, but do not accept them.
>
>
> "The OpenID Foundation says more than 27,000 sites use the protocol,
> although actual use on the part of the Web populace remains an open
> question: One Internet service, called WetPaint, dropped support for
> OpenID, noting that of its 1 million registered users, only 200 logged
> on with OpenID accounts. Other sites, such as Facebook and Google,
> hide their OpenID log-on pages."
>
>>> As of July, according to Janrain, it looks like we're closer to 50K relying parties:
>
> http://blog.janrain.com/2009/07/relying-party-stats-as-of-july-1-2009.html
>
> And, while it's true that Wetpaint removed OpenID from their site, I
> can personally attest to how AWFUL their implementation was:
>
> http://www.flickr.com/photos/factoryjoe/2478951850/
>
> Also, Google doesn't so much as hide their OpenID logon pages as they
> don't support it (unless we're talking about Google Apps for your
> Domain?
>
>
> "A Web site that uses OpenID credentials assumes only that any OpenID
> provider is supplying verification that a person wishing to register
> under a certain account knows the password of that account, the OpenID
> Foundation’s Reed said. "
>
>>> Once again, it would appear that Drummond is speaking on behalf of the OpenID Foundation.
>
> Otherwise, it's a pretty good article.
>
> Chris

Genetlemen,

Hello! This is the author of the story, Joab. Thanks for the CC'ing me--I will indeed make these clarifications and corrcections to th online version of the article.

I deliberately kept the Information Card out of this article if only to simplify the explanation of OpenID as much as possible. I think with many of our readers, we are starting at ground zero at explaining this concept. So, for better or worse, I was simplifying. I do plan on writing a separate blog entry explaining the Information Card in detail, however...

joab

Chris Messina wrote:

The article is here:

http://gcn.com/articles/2009/09/28/openid-authentication-for-federal-web-sites.aspx

Unfortunately, it suffers from a number of inaccuracies or misleading
statements, which may warrant a simple blog post welcoming this
review, but highlighting some clarifications:

"OpenID is fundamentally a way you can use your browser to
authenticate to a Web site by using a third-party identity provider,"
said Drummond Reed, one of the founding board members of the OpenID
Foundation, which oversees OpenID.

 

Drummond was indeed a founding member of the OIDF, but this quote makes it sound like he's speaking on behalf of the OIDF board, which I don't think was his intention...
     

"For users, the chief appeal of OpenID is that it could provide a
single name and password combination for a wide variety of sites."

 

This kind of language concerns me — and I've recently heard feedback that the government will be able to "get your Facebook password" if you use OpenID on a government site... while the convenience of this statement is not to be ignored, it should be clarified that one's password is NEVER shared with an OpenID consumer/relying party (or the government!).
     

"The list of consumer Web sites that accept OpenID as credentials is
growing, even if they lean toward the geeky side: Slashdot, Facebook,
Google, Technorati, LiveJournal and Yahoo. "

 

Google, Yahoo and Technorati do not accept OpenID credentials, AFAIK. They provide them, but do not accept them.
     

"The OpenID Foundation says more than 27,000 sites use the protocol,
although actual use on the part of the Web populace remains an open
question: One Internet service, called WetPaint, dropped support for
OpenID, noting that of its 1 million registered users, only 200 logged
on with OpenID accounts. Other sites, such as Facebook and Google,
hide their OpenID log-on pages."

 

As of July, according to Janrain, it looks like we're closer to 50K relying parties:
     

http://blog.janrain.com/2009/07/relying-party-stats-as-of-july-1-2009.html

And, while it's true that Wetpaint removed OpenID from their site, I
can personally attest to how AWFUL their implementation was:

http://www.flickr.com/photos/factoryjoe/2478951850/

Also, Google doesn't so much as hide their OpenID logon pages as they
don't support it (unless we're talking about Google Apps for your
Domain?


"A Web site that uses OpenID credentials assumes only that any OpenID
provider is supplying verification that a person wishing to register
under a certain account knows the password of that account, the OpenID
Foundation’s Reed said. "

 

Once again, it would appear that Drummond is speaking on behalf of the OpenID Foundation.
     

Otherwise, it's a pretty good article.

Chris