Talk:OpenID/Archive 1

Diagram?
Can anyone who understands the process create a simple diagram showing the entities and the flow of data between them? —Preceding unsigned comment added by DannyStevens (talk • contribs) 10:13, 25 May 2009 (UTC)

Register?
How do I actually get an OpenID ? —The preceding unsigned comment was added by Pavithran (talk • contribs).


 * You would get an OpenID by having an account on a service which provides them, or by registering a url you control with an identity provider and inserting the correct links into the page at the claimed url. See the second bullet in the URLs section of the article for more information. Caffeinepuppy 06:36, 29 October 2006 (UTC)


 * If you have an AOL account you have an OpenID following support by AOL you can also use Microsoft card space or just check here http://openid.net/wiki/index.php/OpenIDServers or the link caffinepuppy provided Atomic1fire 23:47, 15 February 2007 (UTC)

If you have an AOL/AIM account, you already have an open ID. By the way, this question should not have to be asked. It should be in the article. Randomfrenchie 02:09, 20 February 2007 (UTC)

OpenID implemented on Wikipedia?
I read on the claimID blog that Wikipedia will be supporting/implementing OpenID sometime soon? does anyone have more details on this?

-- d@vid seaward 06:05, 27 July 2006 (UTC)


 * I remember there had been some discussion of the idea on the Yadis mailing list a while back. I hadn't been following the mailing list lately, but a quick web search pulled up this message by daveman692. It doesn't seem to have happened as soon as predicted, but I wouldn't rule out seeing something soon. Dancter 06:57, 27 July 2006 (UTC)


 * What happened to "sometime soon"?--NeF 14:43, 3 August 2007 (UTC)


 * Another year later ... 203.129.33.32 (talk) 04:27, 30 October 2008 (UTC)

Wikitravel?
Wikitravel uses openid logins? I don't see that anywhere on their site. I'm taking it out if no one can verify this. Nabber00 20:22, 21 October 2006 (UTC)


 * You can find it at http://wikitravel.org/en/Special:OpenIDLogin. 17:31, 29 October 2006 (UTC)

i-name != OpenID
I've removed all (except the first, which is grammatically different) references to i-names and i-brokers in the article. As far as I can see by searching online, an i-name is treated very differently by OpenID: they're not supported yet, if ever. Until i-names are actually synonymous with OpenIDs, they shouldn't be treated as such in the article. If I'm completely smoking crack and someone can point out evidence that I missed, please do say so and feel free to revert those changes. (For the record, I know XRIs are supported, but i-name is a much larger framework than simply providing an XRI.) &mdash; Saxifrage ✎ 19:08, 24 October 2006 (UTC)

Corrections
I can understand the confusion, but as co-chair of the OASIS XRI Technical Committee and someone heavily involved with the development of OpenID, here's the facts:


 * OpenID Authentication 2.0 fully supports XRIs -- see the OpenID specs page and in particular Draft 10 at.
 * i-names and i-numbers are terms used to refer to the two standard forms of XRIs (human-friendly reassignable names and machine-friendly persistent numbers).
 * XRI support was added to OpenID Authentication 2.0 for a very good reason -- the ability for an i-name to have a verifiable synonmous i-number that will never be reassigned gives OpenID users (and the relying parties that consume OpenID identification assertions) the ability to make sure their OpenID identity is never taken over by anyone to whom their identifier is reassigned, as unfortunately can easily happen with DNS-based URLs because DNS names are reassignable.
 * The JanRain OpenID 1.1.1 libraries all currently include support for XRI i-names and i-numbers even before they are officially supported in 2.0.

So i-names is not in fact "a larger framework" than OpenID, it is simply an identifier format that is supported by OpenID. The two solve different problems: i-names & i-numbers are new identifiers designed specifically for the requirements of the emerging digital identity layer of the Internet, and OpenID is an authentication service that can work with both URLs and XRI i-names and i-numbers.

Please feel free to contact me via my =drummond i-name contact page if you would like further references -- I can put you directly in touch with the OpenID Authentication 2.0 editors (David Recordon, Verisign; Josh Hoyt, JanRain; Brad Fitzpatrick, Six Apart; or Dick Hardt, Sxip) to confirm all of this.

Rather than just revert, I will take a pass through and restore the i-name/XRI references selectively to make sure they are being used correctly. DrummondReed 20:08, 27 October 2006 (UTC)


 * Thanks for the clarification. The article doesn't seem to be contradictory anymore with the better treatment of the relationship between OpenID and i-names, etc. — Saxifrage ✎ 01:22, 28 October 2006 (UTC)

Trademark
Rather than getting ourselves into trouble by editing the page directly, I would like to ask somebody to add to the text that R-Objects Inc. dba NetMesh has pledged to transfer the OpenID trademark registration to the OpenID Foundation once that is properly set up and becomes the official owner of other IP such as the openid.net domain name etc. Netmesh 00:49, 9 February 2007 (UTC)

Terminology: "Consumer"
The term consumer needs to be defined along with the other terms.
 * Doesn't "consumer" mean the site that actually wants to identify the end-user? Right now that's listed as being "relying party" but I haven't heard that phrase and all the documentation I've seen refers to "consumer" as being the site that wants to identify the user. --Ciaran H 15:33, 20 February 2007 (UTC)

Good Article
This is one of the better articles I have read on Wikipedia. It should be nominated for some kind of award or something. Randomfrenchie 02:13, 20 February 2007 (UTC)

Noteable Openid Providers?
there should be some kind of list on that section of the article or least in more detail pertaining to more known companies instead of one small sentence with a few companies Atomic1fire 22:36, 21 February 2007 (UTC)

How it works up higher
Would it be a good idea to place the part of "How OpenID works" higher on the page? Now you have to read through stuff like "Notable providers and relying parties", "Development" and "Intellectual property".. which it is not realy interesting if you don't even know what it actually is. Maybe the "Terminology" is interesting too, but it could also be somewhere at the bottom as a reference. I'm willing to do this but feel to first talk about it, maybe some are not amused at all :) Løde 12:28, 21 February 2007 (UTC)

Criticism?
This article needs a "Criticism" section. There's plenty of that about OpenID. Here's an example: OpenID: Phishing Heaven -Olegos 22:27, 1 March 2007 (UTC)
 * Such a section would be healthy, as long as it remains NPOV. pbryan 22:39, 1 March 2007 (UTC)

Yet another in-depth critical article: The problem(s) with OpenID at The Identity Corner (why Credentica does not support OpenID) --Jakub Narebski (talk) 21:09, 27 May 2008 (UTC)


 * A summary of this article should be included in the wiki page  Tu rk ey ph an t 18:10, 7 November 2008 (UTC)


 * There is currently a box in the article encouraging discussion of whether to distribute the present criticisms across the article. I've noticed that there is a general WKP antipathy to criticism sections in articles, usually on the basis that it falls foul of NPOV.
 * I don't agree with this attitude.
 * There are various legitimate reasons why one might want to view the cons of a subject - without necessarily wanting to read the entire article. Other aspects are usually in a designated section, possible criticisms can also usefully be. Centrepull (talk) 09:58, 13 July 2008 (UTC)


 * I would encourage as well a Criticism section. OpenID rises many structural issues that are been discussed, specially now that so many corporations are joining the protocol. --Samer.hc (talk) 11:42, 31 October 2008 (UTC)


 * First: the criticisms are not yet even weaved into the article. Second, of course there should be a Criticisms section. The domain name [www.idcorner.org] no longer works. Can someone please find another link? -Pgan002 (talk) 07:27, 19 February 2009 (UTC)

Simple English version
I haven't got a clue how this works, any chance of a Simple English version that doesnt go into technical detail but explains the gist of how it works. —The preceding unsigned comment was added by Wikipedian231 (talk • contribs) 17:37, 9 March 2007 (UTC).

Give good examples—use secure protocols
In my opinion, the HTTP links used in the examples (explanation of how OpenID works) should be converted to HTTPS. This will result in better examples. So the text should be https://example.com/openid-return.php instead of http://example.com/openid-return.php.

Wikipedia is always trying to give the best technical point of view, as it seems to me. Using HTTP is inferior to HTTPS, especially when talking about sensitive information like personal data. I think this page should be edited accordingly.

What do others think?

–87.181.126.156 21:47, 13 March 2007 (UTC)


 * Data passed between providers and consumers are cryptographically secured, even not using SSL/TLS. Jcea 17:21, 14 March 2007 (UTC)


 * TLS/SSL is a good method to prevent DNS poisioning attacks. Because the OpenID identifier is simply a web page, if the Provider can be fooled into retrieving the page from another source and it contains a rogue server and delegation of credentials, that identity can be successfully impersonated. pbryan 06:49, 15 March 2007 (UTC)

Mention of Wikipedia
I've removed the mention of Wikipedia as planning to support OpenID. While true, it doesn't really say anything of note -- we haven't made any rollout and don't even have a timetable for it. It would be much more useful to mention other sites actually using it rather than vaporware. --brion 21:22, 28 March 2007 (UTC)

Yadis not in OpenID 1.1?
The article says OpenID uses Yadis starting with 1.1 but doesn't mention Yadis/XRDS at all (but  does). /Fifo 21:56, 10 April 2007 (UTC)

Neede corrections concerning Yahoo! and idproxy.net
I don't want to make these edits myself because they are about me, but the article should be updated to reflect that Yahoo! have not yet made any public announcements concerning OpenID. idproxy.net (my site) was developed entirely separately from Yahoo! - I no longer work there, and idproxy.net was developed and released after my departure. It uses Yahoo!'s authentication API (BBAuth). It's really a hack to demonstrate that there's no point in having an authentication API that doesn't support OpenID since it just means someone else will set up a bridge in the middle between the two protocols.

—Preceding unsigned comment added by 62.56.86.249 (talk • contribs) 11:33, 27 April 2007 (UTC)

Single signon
What happens, if I already logged in to my OpenID account, and jump to a site, which is OpenID enabled. Do I have to login again, or it will recognize me and my status, and wilol not require login again. Please add a description of this screnario to the main article. —The preceding unsigned comment was added by Andrisi (talk • contribs) 09:53, 10 May 2007 (UTC).
 * Yes, you will have to login there as well. - Sikon 15:59, 10 May 2007 (UTC)
 * Then how is then OpenID SSO? Båtstrand78.91.73.153 (talk) 14:05, 13 December 2008 (UTC)

Not sure whether Andrisi contributed this change, but anyway, two points: —Fleminra 20:17, 12 May 2007 (UTC)
 * 1) Users wouldn't necessarily want every new web site they browse to to automatically know who the user is.
 * 2) After you've signed on to your OpenID provider during a browsing session, you shouldn't have to type that password again during that session (depending on the provider's implementation; you might need to choose a "stay signed in" option).  You will have to type your OpenID URL at each new web site you browse to (this is a feature, because of #1).

Thanks for clarification. I think it would be useful (optionally) to have any site recognize you as XY, and be able to verify that, without you help (or work). Because without this, it's still not single signon, just something close. If you make it optional, and "based on the provider's implementation" - it will never be easy and uniform enough. I think it's a legitimat criticism. You could explanation of theese screnarios this to the main page. —Andrisi

Microsoft
Doesn't Microsoft support OpenID as part of cardspace, which is already available on both XP and Vista? This seems to conflict with the statement "Microsoft is working on implementing OpenID 2.0 in Windows Vista". Morphh  (talk) 20:05, 28 September 2007 (UTC)


 * Well, the final OpenID 2.0 specification does not yet exist, so no one can yet claim to have implemented it. The statement in the article could still be true if cardspace included an OpenID 1.x implementation and they were working on a 2.0 upgrade.  Perhaps it'd be worth looking for a more recent source to find out what the current status is? --James 08:09, 5 October 2007 (UTC)

Alternatives?
It would be helpful to know what alternatives or competing approaches there are to OpenID. Hauptmech 21:13, 14 October 2007 (UTC)

Wish to add this external Link. How can I?
Following is the link and link text I wish to add: --Debashishc (talk) 06:56, 10 December 2007 (UTC)
 * OpenID: One key to many locks - A primer in Hindi blogzine Nirantar on OpenID.

Windows cardspace and .NET framework 3.0
The following text in the introductory paragraph should not be inthis article.The specifics of Windows Cardspace and .NET framework downloading must be in their own pages. And not in openid page!!!

"which is part of .NET Framework version 3.0 (the .NET Framework version 3.0 comes with Windows Vista by default and can be downloaded for Windows XP)." —Preceding unsigned comment added by 217.10.60.85 (talk) 10:44, 21 January 2008 (UTC)

Big cleanup needed
In the news today: Google, Microsoft, IBM, Verisign and Yahoo have all now joined the OpenID Foundation.

That means a lot of people are going to be looking at this article. Normal people. It needs a rewrite. Spandrawn (talk) 00:53, 8 February 2008 (UTC)

Provider/consumer lists
I just created a List of OpenID providers which certainly needs some work.

Perhaps even more useful would be a list of relying parties, now that there are so many big names acting as providers. Major kudos to anyone who can put together a categorized list of notables in that department (the openID directory is nice, but not peer-edited...)

Jbastress (talk) 20:02, 13 February 2008 (UTC)

What really bothers me is that plenty of companies provide openid however you can only log into their sites using THEIR openid implementation. This kind of defeats the purpose of OpenID all together. So I'd love to have a list of big sites that actually accept ALL types of OpenID. Recent news says MySpace is going to 'provide' OpenID accounts however they will not accept anything but their own for logins.

So a list of actual websites that FULLY support OpenID would be very useful to me.. that's why I came to the wikipedia page in the first place.

Llynix 24 July 2008 —Preceding undated comment was added at 21:44, 24 July 2008 (UTC)

How the hell does it work?
I'm fairly technically proficient, but I don't understand the concept behind OpenID at all. You type in a url and you're logged in? Couldn't anyone do that? It sounds like there are more security features but I really can't divine any logical meaning from anything I've read about OpenID (anywhere, not just here). It almost sounds like a scam buried in technical jargon to trick people, although I have the impression that's not actually the case. Someone please explain in simple terms how this works? 69.105.96.208 (talk) 04:24, 12 April 2008 (UTC)


 * Type type in a url to your identity server, and then it logs you in. Yes, the intro is a little misleading because you will typically have to type a username and password into your identity server. The intro should be changed so that it doesn't sound like a scam. Roger (talk) 21:47, 17 April 2008 (UTC)

homepage address verification scheme
The article never mentions the original starting point of OpenID. It was not constructed as generic login protocol for ordinary users. It was just meant to assert ownership of URLs (homepage/blogs).

Usage as login and authentification scheme was later attributed to Yadis/OpenID by outside parties. And it's left open, if that is the desire of the core development/decision group nowadays. See original and current Yadis mailing list. http://lists.danga.com/pipermail/yadis/2005-May/subject.html —Preceding unsigned comment added by 89.246.199.241 (talk) 19:40, 9 May 2008 (UTC)

OpenID Ownership
I've been trying to update the criticism section with, what I feel, is a fair and accurate criticsm. The criticism is 'Finally, unless deployed through an end-user's own domain, OpenIDs are effectively owned by the identity provider and, thereby, subject to identity providers' terms of service with end-users, which fundamentally undermines the degree to which an end-user can rely on an OpenID as fixed and permanent.' The problem is this and other versions of this edit keep getting deleted.

This is a true statement, and one that deserves mention. Unless deployed on an end-user's own domain, an OpenID is subject to the business decisions and operation of the identity provider. Case in point ? Look to the Terms of Service for a Yahoo! OpenID -- It clearly conveys that an OpenID may be discontinued by decision of Yahoo!, change of policy, or termination of Yahoo! account, all of which are typically completely outside the end-user's control or ability to challenge. Simply put, an end-user in virtually all cases does not 'own' their OpenID. This is a point worth mentioning and something informative that people should be made aware of. —Preceding unsigned comment added by MFellenz (talk • contribs) 19:32, 26 July 2008 (UTC)