Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Adopts, Forks OpenID 1.0

Posted by timothy on from the complicationism dept.

An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."

30 of 316 comments (clear)

  1. Google... learning more from Microsoft everyday by JCSoRocks · · Score: 5, Insightful

    Substitute Microsoft's name for Google and it'd be just another day in tech. Interesting to see Google doing this though.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
    1. Re:Google... learning more from Microsoft everyday by Johnno74 · · Score: 5, Insightful

      Yes, except just yesterday Microsoft joined OpenId, _without_ this sort of stunt.

      IMHO, microsoft's behavior in the last few years is to be commended, they are worlds away from where they were 10 years ago.

      Sadly, google seems to be heading the other way.

    2. Re:Google... learning more from Microsoft everyday by Tacvek · · Score: 1, Insightful

      Where is the Google system not standard Open Id 2.0? It has one send an http get request to "https://www.google.com/accounts/o8/id", and google replies with an XRDS file. That sounds like the Yardis protocol to me.

      In fact it sounds like it is standard Directed Identity, except that it uses an abnormally long url to start. The google web site actually seems to be just suggesting that the site ask for the email address and then use a hard-coded yardis URL if a google address was entered.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  2. so lets see slashdot bias at work by circletimessquare · · Score: 2, Insightful

    if microsoft did this, the hoardes would be eviscerating the company

    if google does this, watch the defenders come out of the woodwork

    slashdot bias: microsoft bad, google good, apple shrug

    its not the year 2000 folks. google is not some little darling upstart anymore. update your bias accordingly please

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
    1. Re:so lets see slashdot bias at work by Microlith · · Score: 5, Insightful

      Google will be cheered or booed depending on what they do with their changes to OpenID. They could very well turn around and propose it for version two or whatnot of OpenID. After all, if it isn't compatible then what the hell is the point.

      Microsoft is hated because they DEFINED "embrace and extend." They regularly use it as a weapon against their competitors. We have yet to see Google use their version of OpenID, much less use it against anyone.

      Never mind that OpenID screams "single point of failure" to me.

    2. Re:so lets see slashdot bias at work by SecurityGuy · · Score: 2, Insightful

      I think Google's shininess has worn off for most at this point.

      The interesting implication to me is that I may have to concede Microsoft is not inherently evil, at least not more so than any other large corporation. Google, having become one has been progressively more Microsoft-ey.

    3. Re:so lets see slashdot bias at work by Red+Flayer · · Score: 2, Insightful

      Hey, FWIW, how about actually observing the Google Reality Distortion Field[1] before blasting its sure appearance?

      There is institutional bias at slashdot, but from what I've seen, the pro-googliness has dropped in the past year or two as Google has started playing hardball with a big stack[2].

      At any rate, slashdot is a community of individuals, and any perceived bias among the community just reflects the fact that fanbois exist -- and if you're aware of that fact, you can run the comments through your own internal bias filter when reading them. Sure, it's all well and good to hope that by decrying the bias, you might be able get people to change their minds... but good luck with that. Far better to get some popcorn and watch the spectacle of Google fanbois trying to defend their idol, lest they lose all hope of a giganticorp actually not acting selfishly.

      [1] Bonus points for an Apple reference in a Microsoft/Google proto-flamewar?
      [2] Bonus points for the baseball/poker mixed metaphor?

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    4. Re:so lets see slashdot bias at work by owlnation · · Score: 2, Insightful

      Yes, but Google seems to get everything right when it comes to online technology,

      Yes, that is true. But, there's just one thing though that isn't mentioned enough, namely that they created a new paradigm in search 10 years ago. The 10 years ago part is the thing. There's not only been no improvement, they've effectively eradicated all competition, and their search is now fairly well gamed by most any and all black hats.

      Thus, the net result is that, overall, the user experience for search is now worse than it was 10 years ago. Google has become rich and rested on its laurels. Is this evil? Not per se. Is it good? Not at all. Google needs competition. It seriously needs competition.

  3. New and improved feature? by megamerican · · Score: 3, Insightful

    Google OpenID: New and improved personal information gathering.

    --
    If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
  4. Stop your complaining by FooBarWidget · · Score: 4, Insightful

    OpenID usability sucks.

    There, I said it. It's true. My computer-illiterate dad just wants to post a comment on a blog, or to login to a new website. You can't possibly expect him to do something as complex as reading up on what OpenID is, signing up for an OpenID account on a totally different website that has got nothing to do with the original website that he was on, and then logging in by entering a long magical URL. People like him - average users - have trouble enough understanding usernames and passwords! The recently published OpenID usability study confirms all the criticism that I've had on OpenID.

    While OpenID is technologically sound, its usability is not. If Google's version is more usable, but is still open, then I'd gladly support it even if it's not compatible with the "official" OpenID standard. I don't care whether they're being "nice" or "evil" or whatever, I want better usability because software is supposed to be usable.

    1. Re:Stop your complaining by FooBarWidget · · Score: 5, Insightful

      "Rubbish. For people like your dad, OpenID is both simple *and* simpler than having to sign up for dozens of sites just to post a comment."

      That's true if you count the step. The thing you overlooked is, he doesn't know what OpenID is! Try to explain OpenID to a random person on street. How big is the chance that he understands it and will even care? Have you ever went through an OpenID registration process? There's no way my dad understands that. The barrier to entry for average users is too high.

      There's more to usability than simply counting the number of steps.

      "Suppose we live in a world where everybody implements OpenID (as a consumer and provider)."

      It's useless to speak of such a world. It simply doesn't exist. The hard reality is that OpenID adoption is still low.

      "If I "can't possibly expect [your dad] to do something as complex" as that, I weep for your dad - and you, given that you got 50% of your genes from him."

      Oh yeah, like launching a personal attack on me will make the usability problems magically go away. If anything, this is a sign of your weakness.

    2. Re:Stop your complaining by LordMyren · · Score: 2, Insightful

      You clearly havent spent even the most cursory effort to investigate what Google has actually done here.

      They havent changed OpenID, they've built their own black box to lookup OpenID URL's for email addresses.

      Your entire argument is posited around Google making a more usable version of OpenID. While it may be easier for gmail users in that they can use their email addresses instead of url's, Google has not provided any spec for how other sites can implement the black box they've thrown in front of a completely vanilla OpenID. Since no one else can use it, its easy to say it hasnt helped OpenID.

    3. Re:Stop your complaining by LordMyren · · Score: 3, Insightful

      Reading your thread you do a very fine job justifying a means to an end, but I'd still wager that the means that Google used are abominable.

      "It means that now, people who have Google accounts can login to my website without having to register."

      It also means FooBarWidget's dad (the proverbial Joe the Plumber of this thread) also has to remember that on every other site he has to use something else. And if he wants to use his Yahoo or MSN account, he has to remember its something totally different. Google has simply added to the confusion by throwing in their own proprietary non-interoperable standard, further fractioning a standard you've already argued is unusable for its complexity.

      The only acceptable way to make this a win for users was to make some kind of a standard. Google didnt. Instead they've only further exacerbated the mess of online identity standards. I'm happy that you're happy that you can tell your dad to just use his email, but for Dad thats only ever going to work on a very very small handful of sites for users who happen to want to use their google account identity; for the other 99.99% of use cases it only murkier the water further.

      The real insult-to-injury here is that OpenID already supports email logins. Theres no reason Google couldnt have let good ole dad login with foo.dad@gmail.com; OpenID translates this to http://gmail.com/ which happens to be a valid web address. But instead of implementing an existing standard at no cost to developers everywhere, Google added more complexity for developers and more confusion for users.

      I dont see whats salvagable about this. Google didnt add anything new for users, made it so users of gmail couldnt use 99.999% of OpenID consumers, put a huge burden on developers, and confused a lot of users struggling with an complex system whose only boon was interoperability.

      I'm happy its easy for you and your dad. But theres about eighty things a 9 year old programmer would have made better decisions about, and at no cost to the rediculously low bar you've set for your expectations.

  5. And this is why... by Azuma+Hazuki · · Score: 3, Insightful

    ...Google scares me more than Microsoft. Even as a die-hard Linux and BSD user, a FOSS zealot, I rest easy knowing Microsoft in its current form will likely be dead in less than a decade. Google, on the other hand, stands to become the Internet-age version of Standard Oil. This is the first "publically-visible" sign of their slide into Microsoft-like evilness, and unlike MS, they will probably be around a long, long time.

    Think about it: the OS doesn't *really* matter (if it did OS X and Linux and all the rest would never have any users). Even MS knows this, as they prepare to break into the "cloud" market. Even the applications aren't *that* important now, with the number of people working on converters and programs like OpenOffice. What's important is data, raw information, and Google is a massive data broker.

    Be very, very careful how much you trust to Google.

    --
    ~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
    1. Re:And this is why... by Hangtime · · Score: 2, Insightful

      I have been on Slashdot for a decade now and those comments about Microsoft being gone in 5, 10, 20 years never get old. When you are sitting on that kind of cash and that kind of cash generating ability your not going anywhere, anytime soon.

  6. So they're experimenting by bluefoxlucid · · Score: 4, Insightful

    Google is a research company; they're doing research. They are improving OpenID, in their opinion. Nobody relies on Google OpenID, they haven't stepped up to make an OpenID implementation and then started adding extensions, and finally broken compatibility to force conversion to their special vendor-locked-in crap. They've come out and said, "We are going to implement something new, based on OpenID."

    Wait until Google Docs stops exporting to deprecated MS Word 97 format (and ignorers .docx entirely), but does export to Google Document Format for their new Google Desktop Office; then you'll see Microsoft behavior.

    --
    Support my political activism on Patreon.
    1. Re:So they're experimenting by hackingbear · · Score: 2, Insightful

      Besides, I don't see, from reading the blog, that they make it incompatible with OpenID. they just add two additional steps -- the user enters an gmail address and then the google server returns an OpenID URL. So normal OpenID websites still work, users just type in the URL instead of having the relying party goes find out.

      So it is really a compatible augmentation to OpenID. Whether google patents this or uses other way to prevent others from doing that, I don't know and not technical.

  7. Re:And so it begins by obarthelemy · · Score: 2, Insightful

    There IS a difference between "embrace and extend" and "extend right away": sneakiness.

    Google lacks something both MS and Apple are going to enjoy for a long time: user lock-in via proprietary formats, DRM and/or user training.

    Google has much less leverage to become evil by abusing lock-ins... hence less evilness.

    --
    The Cloud - because you don't care if your apps and data are up in the air.
  8. Why OpenID fails by coryking · · Score: 4, Insightful

    I've got one word for you

    Meanwhile, in reality, you know that ultimately the URL is the location of your OpenID server, right?

    Huh? No seriously. Huh?

    OpenID is just so damn unintuitive that nobody really gets it. It is a fucking login. Why can't it be an email address? Why can't it resolve the right place to conduct authentication business via DNS the same way SMTP gets it's MX record based on everything after the @domain.com?

    Seriously, the more people try to explain it, the more it just makes peoples eyes glaze over. All they see, and all I see, is a fugly looking URL that is supposed to magically authenticate me, only as a web developer, I'm told I can't actually trust the authentication because the protocol wasn't designed for it. Or something. My head spins now.

    1. Re:Why OpenID fails by coryking · · Score: 5, Insightful

      Because for the average person, it's a lot easier to set up a blog than it is to get their ISP to set up custom DNS records.

      There you go again. What the hell are you talking about? Now to log into some stupid site, I have to get a blog too? Huh?

      Admit it, the URL thing sucks ass. Email addresses are something we all have, and many websites are using email addresses as your login already. If OpenID did email, even *if* there wasn't any DNS trickery like I suggest, life would have been 100% easier. But no, I'm sure there is some "valid" reason the purity trolls who wrote the spec had against something so simple and logical, so they decided URL's would be best, usability be damned.

    2. Re:Why OpenID fails by burndive · · Score: 5, Insightful

      Do you already have a Google Account nickname set up and ready to enter into the login field? Did you even know such a thing existed? Does Joe The Plumber (TM) know that?

      I do, but then again, I use OpenID the way God intended: I have my blog delegate to a 3rd party that specializes in it (myopenid.com).

      My blog URL is exactly what I want to show the world my identity. It's the hub of a significant portion of my public online content.

      Why does a blog that I'm commenting on need to know my e-mail address? They might spam me.

      An e-mail address is private information. A URL is just as unique, with the added benefit of being public.

      --
      ...because "hacker" sounds way sexier than "code drone."
  9. Standards by Derrike · · Score: 2, Insightful

    I'll be the first (albeit a little late) to admit I thought Google was pulling a MS for a moment. So what would call for revising the standards? Well let's say you have a lemonade stand. What if your normal set-up doesn't provide all the things you (and your customers) would like out of your lemonade stand? That's where you go out and implement these features. Google would find out what the users would like and then make it happen. MS would start selling orange juice. Now wait, that's not what NORMAL lemonade stands do! Well you're right. If a standard itself is causing problems for the user and the operator than there's more than likely a problem with the standard. (Or you have really bad operators.) If the changes were for the better, other stands of the like will do the same. Eventually, you bring forth better standards. This, like the lot of things is a double edged sword as we also end up with a lot more orange juice stands. They haven't wronged (me) us yet, anyhow.

  10. Re:How to judge what's going on by vidarh · · Score: 3, Insightful

    But there's NO reason why someone's OpenId would also need to be their "screen name" on a specific service. Many services let you log in with your e-mail address today without plastering your e-mail all over their site.

  11. Re:How to judge what's going on by BlueGecko · · Score: 5, Insightful

    I agree with you wholeheartedly that Google's solution is better, Bruce, but...it's not the standard. The proper way to do this, and one I'd have been fine with, would be to support OpenID, plus this alternative that's much easier for the average user to understand. That's not what Google did, and I don't think we're out-of-line for faulting them for it.

  12. Re:Google sees the problem with OpenID 2.0 by Shados · · Score: 5, Insightful

    OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee

    Basically all open standards do, or eventually do, which is why many commercial entities decide to roll up their own. Yup, while definately many of the times when Microsoft did something like this WAS out of "evil", a large portion was for the same darn reason as this. There's VERY few open standards that aren't an insane mess of "I'll add your idea if you add mine" crap.

  13. Making Extensions Possible Without Evil by Bruce+Perens · · Score: 4, Insightful

    It's open development if the extension is as open as the original standard. It's not an accepted standard until the standards group accepts the extension.

    Is it an Open Standard if you can't extend it openly? I am entirely against closed extensions to open standards, and unnecessarily incompatible extensions, the classical "Embrace, Extend, Extinguish" stuff. But I am equally against standards being a ball and chain that prohibits further innovation. You should be able to produce an extension that you make open on the same terms as the original standard.

    It looks to me as if Google is attempting to hit OpenID with a clue stick on a really obvious issue, saying "Normal folks use email addresses to log in, dummies!". And I am being told that what they are doing is really close to OpenID 2.0.

    Bruce

    --
    Bruce Perens.
  14. Re:How to judge what's going on by Bruce+Perens · · Score: 4, Insightful

    Yet if this was Microsoft, we would be accusing them of "embracing and extending" a protocol to death.

    And because Microsoft has a record of doing just that repeatedly, it would be reasonable to do so.

    Please don't forget all of the bad practice around approval of Office Open XML, which made a sham of ISO, and their very recent maneuver to take over the OpenDocument standard group at ISO.

    At the moment, I am less likely to trust Google regarding democracy and civil liberty issues than I am regarding Open Standards. Because they have a record on that.

    But I agree that they screwed up the relationship and PR issues around this move. They should know better.

    Bruce

    --
    Bruce Perens.
  15. Re:Snarky AC comment by Bruce+Perens · · Score: 4, Insightful

    For single signon to be safe and secure, it seems to me imperative, that the password entry and access approval be done through the browser itself, in a more secure way, rather than through a standard web form, so easily manipulated.

    If you want this, you need to go to W3C and start a standards activity. Browser authentication has remained the same, it seems, for a very long time. And if you actually implement it, you find it's lacking. For example, there is no way to log out! Browsers generally send authentication with each request to the site after you sign on.

    Bruce

    --
    Bruce Perens.
  16. Re:Google sees the problem with OpenID 2.0 by shutdown+-p+now · · Score: 2, Insightful

    You know, Microsoft usually offers that very same excuse when asked why they don't use standard protocols, or extend them: "well, that's because the standard sucks".

    We all know how that line of thinking usually goes on /. - but, this is Google, so...

  17. Re:How to judge what's going on by NeoSkandranon · · Score: 2, Insightful

    "Hacker" means something else.

    No, it doesn't. Language changes.

    --
    If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)