LiveJournal Founder Launches OpenID System

geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.

Re:Not really that good, IMHO.

[outZider]

Just as an aside, the XML-RPC vulnerability was based on items in the PHP community, and not in the module used within Perl. Danga and the LiveJournal team have been working with XML-RPC for quite some time, and they tend to be nazis about the security of their implementation.

Re:Not really that good, IMHO.

[Xepo]

First of all, look at the reason this was created. There are hundreds of livejournal clones out there, and a lot of them run the livejournal software (deadjournal, blurty, etc.). I'm not going to create a new journal on each one of those sites just so I can view the friends-only posts of my friends on those sites, and especially not just so I can comment. This provides a way to link all of those sites together, and it does it openly, in a way that sites that don't use LJ's software can use.

Secondly, addressing your remember passwords comment, it's a complete waste of resources for the system for these users, who just may want to leave a comment, to force them to sign up for an account. Why not just let them provide a reference URL which represents them, and let that server verify that the provided URL is the user's?

Many of your points were simply "This is complex", or "This requires relying on more systems", and conclude that it's bad. Firstly, I think 'rely' is the wrong word for this. You're using these other systems, yes, but if these other systems go down, it doesn't stop you from doing anything. It's similar, though not a perfect analogy, to saying that having more IRC servers in a given network is bad because you're relying on more servers.

Also, imagine the advantages this gives when designing around this system. Forums which are really only for one topic, such as an official forum for a specific piece of software, don't even need to store any user or password information (and therefore don't have any sensitive data). The forum can simply store the OpenID URL for the admins and allow anyone who can verify with that URL do all of the admin work.

It's the first step to providing a true roaming profile, and single sign-on for the web, and it's done in an open manner. I think it's a step in the right direction.

Re:The point?

[jfengel]

Captcha solves a different problem. Captcha proves that you're a human (more or less). OpenID proves that you are you. That doesn't prove that you're a human; it just proves that you know a password. But since you're the only one who knows that password, you're uniquely you and you don't have to create a separate account on each system you visit.

So it's a convenience for users, not to prevent spammers. This does have spam implications: you can blacklist/whitelist ID servers and you don't have to give your email to every site you visit, but it's not really about preventing spam. It's about simplifying the mass of passwords and accounts you have.