AOL Now Supports OpenID 163
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
Or: how is this different from Passport (Score:2, Interesting)
So, it's more modern and has a little shiny "Open" sticker on the side, but the challenges are identical IMHO.
This is a huge blow to privacy on the net... (Score:1, Interesting)
While it sounds like a great idea in fact... it is not. On the pro
side people don't have to keep lists of their accounts and passwords
across many sites and sites have a standardized mechanism to rely on...
like OpenID is established
Think what it could be like when sites only accept OpenID authentication
coming from certain sources like the provider your IP is originating
from? Take it one step further, think what it would be like to authenticate
with your OpenID URL to get onto the internet itself?
The idea sucks and I didn't even get started on how it allows the operator
of an OpenID authentication service to track which sites you go to.
Not just AOL users -- AIM users too (Score:4, Interesting)
Re: Why would we want OpenID? (Score:5, Interesting)
Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?
Re: It's phishing time! (Score:3, Interesting)
Not cool (Score:4, Interesting)
Anyway, then, as kids are wont to do, they have followed it up with a series of new specifications, each one more complicated than the last. There are five specifications in draft form right now, each to cover some different aspect of what should be a fairly simple protocol. They reference and make use of HTTP, HTML, XHTML, XML, XRIs, XRDS, S/MIME, XSLT, and some other, similar ID specification called Yadis. Implementing all this thing requires gobs of software libraries (each with security holes and bugs) and expertise (and who has time to learn the latest X??? spec?). And we're supposed to believe that it's possible to do this securely? We can barely make secure web servers, much less SSI systems which require almost 100 pages of specifications, plus thousands of pages of supporting specifications!
What's sad is that the authors are not just a couple of kids that discovered XML and had a field day. The authors are associated with companies. The primary author works for VeriSign. Presumably, he should know better than to make such a jumbled mess.
But I think we all know what's really going on here. These idiots put together an incomprehensible specification. It is poorly defined, ambigious, and relies on lots of supporting technologies. It is impossible to implement securely, completely, and correctly. Security holes and interoperability issues will be the only real standard. And guess whose jobs are secure? Guess who gets lots of contracting jobs? Guess who is needed to write new specifications so that they can get it Right the next time?
It's too late to turn this one around. Hopefully OpenID will die a horrible death and we'll never hear of it again. But please, please, if anyone else reading this feels compelled to write a specification in the future, learn from OpenID's mistakes and keep it simple, stupid. Because OpenID is setting itself up for disaster.