Slashdot Mirror
Google Adopts, Forks OpenID 1.0
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
Everyone else's vision statement:
Fuck OpenID, I'm in control now.
My work here is dung.
just fork it!
Substitute Microsoft's name for Google and it'd be just another day in tech. Interesting to see Google doing this though.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
if microsoft did this, the hoardes would be eviscerating the company
if google does this, watch the defenders come out of the woodwork
slashdot bias: microsoft bad, google good, apple shrug
its not the year 2000 folks. google is not some little darling upstart anymore. update your bias accordingly please
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Embrace and extend — all the while doing not evil. No, absolutely not.
In Soviet Washington the swamp drains you.
Google OpenID: New and improved personal information gathering.
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
I mean, if I can't use my Gmail address to logon to websites that actually support OpenID, then why would I bother? Not only that though, does it support non Google addresses hosted on Google Apps? (E.g. sexygrrl@example.com)? If not, then even bigger fuck off to it.
Meh, sounds a bit like another "Passport", fuck that, I don't want a big (or little) corporation controlling my ID.
Anyway for the ignorant and lazy:
http://en.wikipedia.org/wiki/OpenID
I wank in the shower.
Doesn't this kind of, you know, defeat the purpose of OpenID?
What does it matter that google is going to use their own version. All the sites that use OpenID are just providers. Nobody accepts the OpenIDs created at other sites so they might as well be completely different.
OpenID usability sucks.
There, I said it. It's true. My computer-illiterate dad just wants to post a comment on a blog, or to login to a new website. You can't possibly expect him to do something as complex as reading up on what OpenID is, signing up for an OpenID account on a totally different website that has got nothing to do with the original website that he was on, and then logging in by entering a long magical URL. People like him - average users - have trouble enough understanding usernames and passwords! The recently published OpenID usability study confirms all the criticism that I've had on OpenID.
While OpenID is technologically sound, its usability is not. If Google's version is more usable, but is still open, then I'd gladly support it even if it's not compatible with the "official" OpenID standard. I don't care whether they're being "nice" or "evil" or whatever, I want better usability because software is supposed to be usable.
Yep, that's my question too. I was excited for a minute, thinking that I'd be able to suddenly use my Gmail/Google ID to sign into various OpenID-enabled sites ... but then they went and fucked it up.
They might as well have not bothered. The whole point of OpenID is interoperability. If they don't want to play along with the consensus, they shouldn't bother trying.
I'd really hope that whoever owns the OpenID trademark comes after them and forces them to stop calling whatever they're doing "OpenID". If it's not compatible with an existing specification, it's not OpenID. They will risk seriously devaluing their trademark if they allow incompatible implementations to use the name. They need to be ruthless about this. Google can do whatever it wants and call it "GoogleID", but if it's called "OpenID", it needs to be compatible with everyone else claiming to be that.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
...Google scares me more than Microsoft. Even as a die-hard Linux and BSD user, a FOSS zealot, I rest easy knowing Microsoft in its current form will likely be dead in less than a decade. Google, on the other hand, stands to become the Internet-age version of Standard Oil. This is the first "publically-visible" sign of their slide into Microsoft-like evilness, and unlike MS, they will probably be around a long, long time.
Think about it: the OS doesn't *really* matter (if it did OS X and Linux and all the rest would never have any users). Even MS knows this, as they prepare to break into the "cloud" market. Even the applications aren't *that* important now, with the number of people working on converters and programs like OpenOffice. What's important is data, raw information, and Google is a massive data broker.
Be very, very careful how much you trust to Google.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
I don't know too much about OpenID, but in my understanding, you login with your website URL. It seems google is letting you use your email address, which makes more sense (or would make more sense to normal users anyway, as people are used to being forced to enter an email in posting comments in blogs anyway).
It's a good thing!
You see, it is OPEN, right? I mean, it says so right in the name of the protocol *OPEN*ID right? And google is cool right? So OpenXyz + Google = Win, right? I mean, OpenID sucks, right? What is wrong with somebody embracing it and then fixing the problems by extending it to be better? Nothing. After all, it is OpenID.
I think if I ever start a company that publishes the most evil DRM spec on earth, I'd probably name it OpenDRM or FreeDRM just so I can win over the Slashdot crowd. As long as it has Open or Free in the name, you can pretty much get away with murder, especially when your Slashdot corporate karma is "excellent".
But seriously, OpenID needs more then a face lift. For starters, based on my experience with Stackoverflow, browsers need to auto-fill the OpenID box with my URL, er, login name (cough). Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail. Oh, and then when they are done with that, how about moving it down the network stack so that the damn thing can be used to authenticate against protocols other then HTTP, like say, IMAP or something. Oh wait, except OpenID was never intended to be used to authentication... or was it? Nobody really knows because even OpenID proponents says you shouldn't use it for anything other then trivial accounts and if you use it for anything else, you are mis-using the spec!
Nice try, but Microsoft is following the OpenID standard.
Do you even lift?
These aren't the 'roids you're looking for.
Google is a research company; they're doing research. They are improving OpenID, in their opinion. Nobody relies on Google OpenID, they haven't stepped up to make an OpenID implementation and then started adding extensions, and finally broken compatibility to force conversion to their special vendor-locked-in crap. They've come out and said, "We are going to implement something new, based on OpenID."
Wait until Google Docs stops exporting to deprecated MS Word 97 format (and ignorers .docx entirely), but does export to Google Document Format for their new Google Desktop Office; then you'll see Microsoft behavior.
Support my political activism on Patreon.
I've used and advocated Google for many years, but I'm getting really close to dropping them all together. They are one single company that has probably more personal data on every Internet user then anyone, and with that trust comes responsibility... but they've been very non-responsive to most Internet users as of late.
I'll probably never be able to drop them completely since they do have the best search engine, but as a portal site for pretty much everything, email, newsgroups, etc... I think they're becoming way too big for their own good.
OpenID is a "standard". SAML is a "standard". Everyone seems to implement them slightly differently -- but at least folks are publishing how they're doing it, which is more than I can say of how things were 5 years ago.
1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?
2. How close is what they are doing to the latest version of the standard, not 1.0?
3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?
4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?
Bruce
Bruce Perens.
There IS a difference between "embrace and extend" and "extend right away": sneakiness.
Google lacks something both MS and Apple are going to enjoy for a long time: user lock-in via proprietary formats, DRM and/or user training.
Google has much less leverage to become evil by abusing lock-ins... hence less evilness.
The Cloud - because you don't care if your apps and data are up in the air.
I'm not really addressing your conclusions here, I'm just wondering about one of your assumptions...
Think about it: the OS doesn't *really* matter (if it did OS X and Linux and all the rest would never have any users).
If the OS didn't matter I'd be using Windows. It's because the OS matters that there's more than one OS out there.
Can you explain what you mean here?
I've got one word for you
Huh? No seriously. Huh?
OpenID is just so damn unintuitive that nobody really gets it. It is a fucking login. Why can't it be an email address? Why can't it resolve the right place to conduct authentication business via DNS the same way SMTP gets it's MX record based on everything after the @domain.com?
Seriously, the more people try to explain it, the more it just makes peoples eyes glaze over. All they see, and all I see, is a fugly looking URL that is supposed to magically authenticate me, only as a web developer, I'm told I can't actually trust the authentication because the protocol wasn't designed for it. Or something. My head spins now.
Check out stackoverflow.com, it exclusively uses OpenID for account info.
The problem from Google's perspective is that the user doesn't have a Google URL, they have a Google username, and that's what the users think they should enter in order to log in.
So, in stead of typing in something like http://username.openid.google.com/ the user selects "Google Account" from a drop-down box, and types in his user name. (Which is functionally equivalent to MS Passport.)
When I log in to a blog and leave a comment with my OpenID, my OpenID URL is displayed as the unique identifier of the author attached to that post.
This presents a problem for Google Accounts as OpenIDs because while URLs are intended to be public ready-to-be-displayed information, a Google Account username (which is easily translatable into an e-mail address) is not.
Therefore, the URL that Google needs users to enter is something like http://nickname.openid.google.com/ but they don't know that that's what they should enter (because they don't know how OpenID works), and so Google is providing a way for sites to translate a Google-authenticated ID into something like an OpenID.
I think if they're going to do this, that they should also offer a way to do it directly, with a URL, for normal OpenID sites that don't support their little proprietary system, and make efforts to wean users off of the proprietary system by showing them their OpenID URL and telling them how to sign in normally.
...because "hacker" sounds way sexier than "code drone."
No Party
Dear AC,
This is an understandable assumption but doesn't reflect the facts. For example, Symbian has purchased consulting services from me. If you look here, you'll notice that I am not afraid to criticize them.
Had Google taken me on and allowed me to work on the PR for this, I would have had them communicate about it differently. It's no trouble for Google to get this stuff back into OpenID, but they obviously didn't take the trouble to assure people that would happen.
Bruce
Bruce Perens.
I think we can ignore Microsoft, as their embrace/extend/destroy philosophy has remained consistent for decades. If they join OpenID it is only to destroy it from within. But this story is a bit crap.
"As Google points out, this isn't OpenID. This is something that Google cooked up that resembles OpenID masquerading as OpenID"
So if Google says it isn't OpenID how is it masquerading as OpenID? It sounds like they like the OpenID architecture so have copied it for internal use. Why not? They want to lock in their users, same as they want to cripple Android, and feel they have the mind-share and marketing muscle to do it. From what I've been reading OpenID is over-complicated, lacks mind-share, and a number of people would rather not have a single pass at all.
Rather than embrace and extend, it sounds like Google are preparing for an embrace then possible fall-back. They pinch the best bits of OpenID and add their own, but if there is overwhelming demand for it then being 99% compatible then it should be easy to switch if necessary.
How many Slashdot readers have written to their favourite site demanding they support OpenID for their own convenience? My guess not many.
Phillip.
Property for sale in Nice, France
The cycle of a hip young company usurping the stagnant incumbents, only to become a stagnant incumbent itself, continues.
Where is Google's successor?
I'll be the first (albeit a little late) to admit I thought Google was pulling a MS for a moment. So what would call for revising the standards? Well let's say you have a lemonade stand. What if your normal set-up doesn't provide all the things you (and your customers) would like out of your lemonade stand? That's where you go out and implement these features. Google would find out what the users would like and then make it happen. MS would start selling orange juice. Now wait, that's not what NORMAL lemonade stands do! Well you're right. If a standard itself is causing problems for the user and the operator than there's more than likely a problem with the standard. (Or you have really bad operators.) If the changes were for the better, other stands of the like will do the same. Eventually, you bring forth better standards. This, like the lot of things is a double edged sword as we also end up with a lot more orange juice stands. They haven't wronged (me) us yet, anyhow.
1) Embrace
2) Extend
3) ?????
4) Profit!
Google must have gotten role confusion when Microsoft took on the open standards approach. They were so ready to be in conflict with Microsoft that they defied their own policies in order to produce a conflict of interests. What's the point of accepting an open standard when you're turning it into an incompatible closed standard? Would they rather everyone accepted GoogleID or are they going one further? If they're going to be so proprietary, why not trash the entire standard and just start from the ground up? Why go half-douche when they can go full-douche?
Well, since it's Google I'm sure everyone (see: slashdot) will rationalize how this is somehow "right for the web". Somehow, embracing an open standard by closing it off will be twisted to sound like a good thing. I think it's time for Slashdot readers to start gauging their own hypocrisy and thinking about this objectively. Admit it, people-- Microsoft is the good guy in this one. Take off your tin foil hats for just one second and see the light.
Having implemented OpenID 1.1 Relying Party support myself, I think I can definitely see what Google is up to, and it isn't evil, people. OpenID 1.1 was elegant simplicity. Our team built OpenID Relying Party support in just a couple of days without even using any external libraries. OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee. There were four different groups vying to define the standard for single-sign-on for the web, so what did they do? They basically just glommed all of the different technologies together and called it OpenID 2.0. There are all sorts of things you have to support, like I-Names (which no one is going to use). In the end our team decided to just implement OpenID 1.1 and rely on the recommendation for backward compatibility which is built into OpenID 2.0 (a recommendation which Yahoo ignored, btw).
So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."
It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.
Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.
Tired of FB/Google censorship? Visit UNCENSORED!
OpenID == Passport
Websites == Countries
Password == That picture of you
When you visit a website (country), they want to make sure it's you so they as for you OpenID (passport). To verify the OpenID (passport) is yours, they ask you to type in your password (compare your face to the picture) and contact your ID hosting website (scan your passport).
It's open development if the extension is as open as the original standard. It's not an accepted standard until the standards group accepts the extension.
Is it an Open Standard if you can't extend it openly? I am entirely against closed extensions to open standards, and unnecessarily incompatible extensions, the classical "Embrace, Extend, Extinguish" stuff. But I am equally against standards being a ball and chain that prohibits further innovation. You should be able to produce an extension that you make open on the same terms as the original standard.
It looks to me as if Google is attempting to hit OpenID with a clue stick on a really obvious issue, saying "Normal folks use email addresses to log in, dummies!". And I am being told that what they are doing is really close to OpenID 2.0.
Bruce
Bruce Perens.
I don't want my e-mail address sitting there attached to my comment for all the world to see and add to their SPAM database.
I don't even want the blog I'm commenting on to have it. That's kind of the point: I can uniquely authenticate as myself, and there's a neat little link to my blog if you want to contact me or read more about/by me.
...because "hacker" sounds way sexier than "code drone."
Embrace, Beta, Languish!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
One of the highly rated posts in the previous discussion pointed out that having a URL as your login essentially puts you in the hands of whoever owns that URL.
If Microsoft or Google or Sourceforge or LiveJournal or whatever authentication provider you happen to use suddenly decides they don't want to be in the authentication business any more, you could potentially find yourself locked out of your accounts on any number of websites and services for which you were using it.
A way around this is to provide a delegate. eg. If and when I use OpenID, I use my own website as my login. The page served up from that URL has a couple of Meta tags which points to my authentication provider and specifies my username with that provider. When I log into something, I'll (eventually) be redirected to that authentication provider and asked for my password. If the provider decides to shut down, I can switch to another one, and change where the delegate on my website points.
I still find it concerning for anything important, at least to the extent that I understand OpenID, which isn't too deep (so if anyone wants to correct me or elaborate on this stuff I'm definitely interested. Having my own delegate system means that I have to keep that website up and available for as long as I want to access all my OpenID-connected accounts. This costs money, and it also requires various skills. I can probably do this for the forseeable future, but most people couldn't either for financial reasons or because they don't have the skills.
Also from a security perspective, if someone happens to hack my website and changes the delegate info to point at an authentication provider of their choosing (to which they can authenticate), they'd potentially get access to all my OpenID-connected accounts... never mind that a rogue employee working at the authentication provider could also potentially log into lots of people's accounts all over the place.
I'll use my OpenID for convenient posting of comments on people's blogs and the like, but in its current state I wouldn't really want to use it for something important like my banking information, or anything else involving money or important info. I know enough about IT to know that I don't trust my own ability as a security expert, for one thing.
In this regard, its worth noting that Google has posted a bit of "public documentation" regarding its usability research in this area (see their Usability Research on Federated Login, for starters.)
So part of the spec requires my webserver to go *fetch and parse your personal web page* to see if it has a <link rel="openid.server" /> tag in it to meet the spec? Are you kidding me? No wonder people dont implement OpenID logins!
You are telling me to support OpenID, I now have to add an entire library to parse your no-doubt busted frontpage website to see if I should use you for openID or go redirect elseware!? What could possibly go wrong with that idea!?
Hah! What an *excellent* way to implement a DOS attack! Now I can get your website to hit my enemy's website by entering a FUCKING URL into your OpenID box!!!! Worse, I can get YOUR WEBSITE to eat up its resources hitting my slow, bloated page to see if I have a magic OpenID <link rel="openid.server" /> tag!
What a brilliant scheme! So many moving parts, so many points of failure, what could possibly go wrong!!!
What Google is doing sounds just like the crap Microsoft has done all these years. Extend and embrace, meaning... we will take existing protocols and intentionally break them to make everyones lives difficult.... because we can.
My karma is not a Chameleon.
That's not true.
They've provide a spec on its (fairly trivial) interaction (since developers couldn't use it otherwise), and they've provided recommendations and rationale on implementation approaches and UI design to support this approach (includign recommendations which presuppose other IDPs will also be using this design.) Other than actually providing a reference implementation of the black box (which is fairly simple: you send it an HTTP GET request and it responds with an XRDS document whose only interesting bit (and the only thing whose content isn't fixed) is the OpenID provider endpoint to URL to use -- if you can't implement a version of that for your own OpenID provider, you probably don't have any business implementing any kind of web application, OpenID provider or otherwise.
See Google's documentation here.
"I don't care whether I can login to Google with OpenID."
Wait a second, wtc? What does this have to do with anything at all? Not only have you not read about googles changes, you dont appear to know anything about the identity space.
No one anywhere logs in to their identity provider with their OpenID; they log in to their identity provider manually for the explicit purpose of authorizing their OpenID. If you could log in to a OpenID account with an OpenID url anyone could log into your account just by using your OpenID URL; there wouldnt be any security at all.
I really havent a clue what in my argument this line has anything to do with, nor whether this statement even makes any sense.
They're using a protocol that's almost, but not entirely, 100% incompatible with OpenID 2.0. It's based on OpenID 2.0 enough that most of the code can be reused, but fundamentally incompatible enough that you can't log into OpenID sites with a Google login (or sites supporting the Google login with OpenID), and probably never will be able to.
Once Google became a publicly traded company their only obligation transitioned to making a profit for their shareholders.
Yeah that sucks but it's reality.
Google: We do less evil than everyone else(tm)
Let the backlash and my modding down begin!
I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Fork it! We'll do it live!
Brad Fitzpatrick the creator of OpenID is working for Google now.
Maybe he knows better what they are doing.
What a ridiculous headline.
To quote from the actual posting, "The initial version of the API will use the OpenID 2.0 protocol"
This version was developed by OpenID, and is incompatible with 1.0, but open in the same way for everyone to use, with a number of improvements... Google is forking nothing.
An anonymous poster, conjugates an argument that Google is doing something Microsoft isn't, and postulates its something nobody else is doing. (looks over the article & site) No attributed author to the piece, the comments consider it misinformed, and the site claims a "non-profit" status while hawking ads for birth-control and the NRA. This isn't news: its anonymous cowards drawing us to their blog.
Life is irony, and nothing ever goes as planned.
Actually, Google seems to be well placed to influence/extend OpenID development, given who works for them.
You aren't remembered for doing what is expected of you
The problem is even OpenID 2.0 doesn't work. People don't have a clue why they should be entering a URL in a login form, what that URL comes from, etc. It's much simpler for them to enter their email address, and have the site redirect to Google Login. Of course there has to be a way for the Google version and the OpenID people to get together and improve the standard itself.
Embrace and extend anyone?
THIS SPACE FOR RENT
*snort*
The OS obviously does matter to the application, or else I would still be using FreeBSD on a Thinkpad instead of OS X on a Macbook. And I'd be happier. Certainly my wrists would be happier: Apple's hardware looks pretty but it's an ergonomic disaster.
The hardware certainly matters. Apple's restricted hardware kept me from getting a new Mac until the mac mini came out and I could get a desktop Mac that was actually an upgrade over my beige G3.
Applications matter, or (as noted) I'd be sticking with a free OS regardless of the available applications.
Someone who says "X doesn't matter" is trying to sell you something that doesn't do X. Well, except Chumbawamba. But they're artists.
It's all about compromise. I will never compromise with terrorist operating systems.
> Setup a basic API where any new website, forum,
> blog, etc can simply post that email and password
> to the appropriate place, and come back with a
> response.
You overlook the fact that the consumer site must never handle the password. Otherwise federation fails because that site can masquerade as the user to other federated consumer sites.
nt
Sorry to break it to you, but your email is not private. It never was. Deal with it.
There is one other advantage to using an email address coupled with the proper way to locate an OpenID server (DNS). It is backwards compatible with existing login systems. On your signup form, you can get your webserver to check if the email address has an OpenID account associated with it and offer to authenticate using that rather then your "legacy" methods. Every time a legacy user logs in, you could test to see if they finally have a OpenID account and then offer the same deal.
You can'd do that with some hair brained "URL".
Oblig link when mentioning a bunch of competitors who are desperately trying to out-extend each other (with spectators in the background cheering: "GOO! GLE!").
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Microsoft hasn't been sitting on their hands, no. Now they have a new server (Geneva) and client (CardSpace) built into IE to provide authentication services... so long as your webserver and browser are Windows!
http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/print.html