Slashdot Mirror
Google Adopts, Forks OpenID 1.0
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
I mean, if I can't use my Gmail address to logon to websites that actually support OpenID, then why would I bother? Not only that though, does it support non Google addresses hosted on Google Apps? (E.g. sexygrrl@example.com)? If not, then even bigger fuck off to it.
Meh, sounds a bit like another "Passport", fuck that, I don't want a big (or little) corporation controlling my ID.
Anyway for the ignorant and lazy:
http://en.wikipedia.org/wiki/OpenID
I wank in the shower.
I don't know too much about OpenID, but in my understanding, you login with your website URL. It seems google is letting you use your email address, which makes more sense (or would make more sense to normal users anyway, as people are used to being forced to enter an email in posting comments in blogs anyway).
You see, it is OPEN, right? I mean, it says so right in the name of the protocol *OPEN*ID right? And google is cool right? So OpenXyz + Google = Win, right? I mean, OpenID sucks, right? What is wrong with somebody embracing it and then fixing the problems by extending it to be better? Nothing. After all, it is OpenID.
I think if I ever start a company that publishes the most evil DRM spec on earth, I'd probably name it OpenDRM or FreeDRM just so I can win over the Slashdot crowd. As long as it has Open or Free in the name, you can pretty much get away with murder, especially when your Slashdot corporate karma is "excellent".
But seriously, OpenID needs more then a face lift. For starters, based on my experience with Stackoverflow, browsers need to auto-fill the OpenID box with my URL, er, login name (cough). Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail. Oh, and then when they are done with that, how about moving it down the network stack so that the damn thing can be used to authenticate against protocols other then HTTP, like say, IMAP or something. Oh wait, except OpenID was never intended to be used to authentication... or was it? Nobody really knows because even OpenID proponents says you shouldn't use it for anything other then trivial accounts and if you use it for anything else, you are mis-using the spec!
Yes, but Google seems to get everything right when it comes to online technology, while Microsoft has a history of either being shortsighted or behind. When they do catch up, they usually do it wrong, or worse. Just look at Windows Live Mail, or their OOXML format(not web related per se, but definitely worse than both doc and odt, and an example of them choosing their own worse way of doing something).
Mind you, Google isn't perfect - I remember their page prefetcher beta was pretty messed up - but I'd trust their experts(when it comes to web stuff) over Microsoft. And since they're basing it on user feedback, they're probably also listening to a large number of independent web developers.
-Anonymous Coward
Yes, except just yesterday Microsoft joined OpenId, _without_ this sort of stunt.
_without_ this sort of stunt YET.
I use my site as a provider and every site that I've come across asking me to log in with my OpenID (LiveJournal included) accepts it just fine. That's the idea behind OpenID, you can get your ID anywhere, you can even provide it yourself, and every site claiming to be OpenID compatible MUST accept it when you try to log in with it.
IMHO, microsoft's behavior in the last few years is to be commended
Yeah, they behaved so well during the whole OOXML/ODF stuff.
they are worlds away from where they were 10 years ago.
One half-assed attempt at a good deed (that isnt actually good in any real way as they're only providing OpenID not accepting it from others) doesn't erase decades of screwing people over.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
Wow, now its out. I just had a class project doing a usability test on a popular OpenID web site and EVERY professional web developer I observed had a hard to very had time with OpenID. Its a great idea, but is either flawed in design or badly implemented most places to date.
1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?
2. How close is what they are doing to the latest version of the standard, not 1.0?
3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?
4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?
Bruce
Bruce Perens.
Yeah isn't it so?? I mean Google was kindda of a good guy in tech. They recently attacked a researcher for exposing a vulnerability in their android platform and now this !!! Hmmm can we say that companies inevitably turn nasty when they reach a certain size?
Hell, I honestly think it's possible to root for Microsoft these days. .NET, including the stuff they've just announced, is an open standard, and MS is encouraging competing implementations. They're working with Mono to ensure it has good Silverlight support, including proprietary codecs. They have their own cloud service, yet worked with Amazon so that Windows could be on EC2. They offer a free version of VisualStudio that's more than sufficient for hobbyist work, and ironically arguably have the most open and easy-to-target 3rd-gen gaming console for small development shops. They're supporting OpenID, making IE increasingly standards-compliant, and, with Windows 7, look like they might actually have a pretty nice operating system that I might not feel a pressing need to migrate away from. They're definitely not perfect—I'm still royally pissed at their behavior over OOXML—but they're doing an awful lot of things right these days.
Google, on the other hand, is going the opposite direction. They've done a proprietary fork of OpenID (which, despite the other comments on here, I definitely find offensive, because locks you into Google in exactly the same way Passport locked you into Microsoft). They closed their SOAP service and offer no alternative. They've basically said Gmail will never use IMAP properly, and they consider that a feature, not a bug. They do business in China on the argument that "well, someone had to do it, so why not us." They still do a tremendous amount of things right, but, just as I think we should acknowledge that Microsoft nowadays is doing a lot of things right, I think we need to start acknowledging that Google is doing a lot of things wrong.
Nobody's perfect, and situations can change surprisingly quickly. I remember when IBM was the evil overlord and Microsoft was our savior.
That was 1992.
Just because Google's been good up to now is no reason to assume they'll continue to be.
To make matters even more confusing, Microsoft has embraced, but not extended.
funny that openid's creator works for google :>
Dear AC,
This is an understandable assumption but doesn't reflect the facts. For example, Symbian has purchased consulting services from me. If you look here, you'll notice that I am not afraid to criticize them.
Had Google taken me on and allowed me to work on the PR for this, I would have had them communicate about it differently. It's no trouble for Google to get this stuff back into OpenID, but they obviously didn't take the trouble to assure people that would happen.
Bruce
Bruce Perens.
Microsoft announces they'll create OpenID compatible IDs but not accept them. Thus if someone wants full access to all OpenID sites they have to go through Microsoft and you think this is some how better?
I'm not saying what Google is doing is right but they're just getting to the point where as MS was taking the slow route to the same destination.
No joke. When I first read the summary, my first thought was that this will finally shut the naysayers up about Google being evil. This is almost exactly the sort of thing for which people have criticized Microsoft.
I say "almost" because there are a few things yet to be seen:
The big problem with Microsoft's EEE philosophy is from an interoperability standpoint. Reverse-engineering is difficult, and they know it. Even if Microsoft forked a protocol and added in their extensions for the purpose of ease-of-use, the fact that they didn't share the changes with the rest of the world made it look like a marketshare grab.
Forking a project is not, in general, a bad thing. What's bad is when something is forked and made proprietary. We'll have to watch Google closely on this one.
Having implemented OpenID 1.1 Relying Party support myself, I think I can definitely see what Google is up to, and it isn't evil, people. OpenID 1.1 was elegant simplicity. Our team built OpenID Relying Party support in just a couple of days without even using any external libraries. OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee. There were four different groups vying to define the standard for single-sign-on for the web, so what did they do? They basically just glommed all of the different technologies together and called it OpenID 2.0. There are all sorts of things you have to support, like I-Names (which no one is going to use). In the end our team decided to just implement OpenID 1.1 and rely on the recommendation for backward compatibility which is built into OpenID 2.0 (a recommendation which Yahoo ignored, btw).
So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."
It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.
Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.
Tired of FB/Google censorship? Visit UNCENSORED!
Of course it is, you'll have to trust that I will not disclose it to other people and instead let you pick a nickname.
Quite frankly, if you aren't willing to at least offer a way to contact you, I'm not interested in letting you post a comment. Remember I have to trust you aren't gonna spam the bajesus out of my site too! A random OpenID URL offers me no assurance you aren't just some comment spammer.
You have to trust I wont leak your email, and I have to trust you are a real person, not a comment spammer. That whole trust think swings both ways, you know.
That's not true.
They've provide a spec on its (fairly trivial) interaction (since developers couldn't use it otherwise), and they've provided recommendations and rationale on implementation approaches and UI design to support this approach (includign recommendations which presuppose other IDPs will also be using this design.) Other than actually providing a reference implementation of the black box (which is fairly simple: you send it an HTTP GET request and it responds with an XRDS document whose only interesting bit (and the only thing whose content isn't fixed) is the OpenID provider endpoint to URL to use -- if you can't implement a version of that for your own OpenID provider, you probably don't have any business implementing any kind of web application, OpenID provider or otherwise.
See Google's documentation here.
``This is the first "publically-visible" sign of their slide into Microsoft-like evilness''
Not even close. They have been doing much more questionable things for a long time now.
Please correct me if I got my facts wrong.
I'm willing to provide the URL of my blog. With that information, you can find out quite a bit about me, or not, without my knowledge, and you can also contact me if you choose. An e-mail address can be generated and thrown away just as easily as an OpenID. The whole point of signing in is to create a consistent identity. It doesn't actually matter if you can contact that identity. What better anchor for such an identity than a URL, which can, at the discretion of the user point an interested party to a variety of additional information or none at all?
I allow anonymous comments on my blog because if someone has feedback to give, I don't want to put any barriers to that feedback. If they wish to provide an identity, they can do that as well, but I'm not going to force them.
Sites that rely on user-generated content have a vested interest in getting users to participate. The lower the barrier to participation, the more likely a new person is to start using the service, and eventually, if it is in mutual interest, provide an e-mail address, or whatever other information is desired.
...because "hacker" sounds way sexier than "code drone."