LiveJournal Founder Launches OpenID System

geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.

Not really that good, IMHO.

[mfh]

I'm a CMS designer, and I think this service is likely a bad idea. I won't be adding it to my service, or at least not in its present state.

Here are a few of my reasons:

1. XML-RPC had a recent exploit that could be revisited in a very nasty way. Even though this appears to use POST, it's still looking pretty complicated from my perspective. I think the same results could be achieved in a much easier way.
2. I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.
3. Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
4. Caution should be applied when linking with systems using any kind of third party medium. KISS.
5. A system should rely on as few other systems as possible. Minimalism will make a web experience a happy one.
6. This could be ripe for phishing.
7. Lag. If systems must cooperate, they should do so passively. Most XML-RPC calls, for example, will put the lag on the end-user. This should become a passive cron job or something like it, if it must be used. Make the user "temporarily unverified" until he/she/it can be verified at a later date by an automated process. Let the lag be placed on the system, not the user.
8. This system provides a false sense of security. You will never know exactly who you are dealing with over the internet. Behavioural tests should be part of this system and they are lacking. Also, nobody is going to use a secure pipe at both ends to handle this kind of data, are they? Uh...
9. CMS designers can achive semi-stable identity recognition without this service by simply reading an XML page instead of adding a layer of communication between servers.
10. ???