Google Adopts, Forks OpenID 1.0

An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."

How to judge what's going on

[Bruce+Perens]

Whether or not this is Google overturning an open standard can be judged upon:

1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?

2. How close is what they are doing to the latest version of the standard, not 1.0?

3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?

4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?

Bruce

Re:How to judge what's going on

[Bruce+Perens]

The string typed in is sufficiently different from what OpenID uses today that it would be easy to disambiguate. Putting this in an OpenID library, without increasing complication to the library user, sounds easy enough.

I think what Google is saying here is that if 99% of users are used to typing in their email address, and not used to typing in a URL as their ID, you should try to make your ID scheme work with an email address rather than invent something new. This actually sounds sensible. But I haven't looked very deeply and would be happy to hear from folks with more expertise.

Bruce

Re:Slightly Conflicting Vision Statements

[mini+me]

To make matters even more confusing, Microsoft has embraced, but not extended.

Google sees the problem with OpenID 2.0

[IGnatius+T+Foobar]

Having implemented OpenID 1.1 Relying Party support myself, I think I can definitely see what Google is up to, and it isn't evil, people. OpenID 1.1 was elegant simplicity. Our team built OpenID Relying Party support in just a couple of days without even using any external libraries. OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee. There were four different groups vying to define the standard for single-sign-on for the web, so what did they do? They basically just glommed all of the different technologies together and called it OpenID 2.0. There are all sorts of things you have to support, like I-Names (which no one is going to use). In the end our team decided to just implement OpenID 1.1 and rely on the recommendation for backward compatibility which is built into OpenID 2.0 (a recommendation which Yahoo ignored, btw).

So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."

It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.

Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.