Slashdot Mirror
Google Adopts, Forks OpenID 1.0
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.
Everyone else's vision statement:
Fuck OpenID, I'm in control now.
My work here is dung.
just fork it!
Substitute Microsoft's name for Google and it'd be just another day in tech. Interesting to see Google doing this though.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
if microsoft did this, the hoardes would be eviscerating the company
if google does this, watch the defenders come out of the woodwork
slashdot bias: microsoft bad, google good, apple shrug
its not the year 2000 folks. google is not some little darling upstart anymore. update your bias accordingly please
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Google OpenID: New and improved personal information gathering.
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
I mean, if I can't use my Gmail address to logon to websites that actually support OpenID, then why would I bother? Not only that though, does it support non Google addresses hosted on Google Apps? (E.g. sexygrrl@example.com)? If not, then even bigger fuck off to it.
Meh, sounds a bit like another "Passport", fuck that, I don't want a big (or little) corporation controlling my ID.
Anyway for the ignorant and lazy:
http://en.wikipedia.org/wiki/OpenID
I wank in the shower.
OpenID usability sucks.
There, I said it. It's true. My computer-illiterate dad just wants to post a comment on a blog, or to login to a new website. You can't possibly expect him to do something as complex as reading up on what OpenID is, signing up for an OpenID account on a totally different website that has got nothing to do with the original website that he was on, and then logging in by entering a long magical URL. People like him - average users - have trouble enough understanding usernames and passwords! The recently published OpenID usability study confirms all the criticism that I've had on OpenID.
While OpenID is technologically sound, its usability is not. If Google's version is more usable, but is still open, then I'd gladly support it even if it's not compatible with the "official" OpenID standard. I don't care whether they're being "nice" or "evil" or whatever, I want better usability because software is supposed to be usable.
...Google scares me more than Microsoft. Even as a die-hard Linux and BSD user, a FOSS zealot, I rest easy knowing Microsoft in its current form will likely be dead in less than a decade. Google, on the other hand, stands to become the Internet-age version of Standard Oil. This is the first "publically-visible" sign of their slide into Microsoft-like evilness, and unlike MS, they will probably be around a long, long time.
Think about it: the OS doesn't *really* matter (if it did OS X and Linux and all the rest would never have any users). Even MS knows this, as they prepare to break into the "cloud" market. Even the applications aren't *that* important now, with the number of people working on converters and programs like OpenOffice. What's important is data, raw information, and Google is a massive data broker.
Be very, very careful how much you trust to Google.
~Eien no Inori wo Sasagete~ Searching for my Hatsumi...
I don't know too much about OpenID, but in my understanding, you login with your website URL. It seems google is letting you use your email address, which makes more sense (or would make more sense to normal users anyway, as people are used to being forced to enter an email in posting comments in blogs anyway).
You see, it is OPEN, right? I mean, it says so right in the name of the protocol *OPEN*ID right? And google is cool right? So OpenXyz + Google = Win, right? I mean, OpenID sucks, right? What is wrong with somebody embracing it and then fixing the problems by extending it to be better? Nothing. After all, it is OpenID.
I think if I ever start a company that publishes the most evil DRM spec on earth, I'd probably name it OpenDRM or FreeDRM just so I can win over the Slashdot crowd. As long as it has Open or Free in the name, you can pretty much get away with murder, especially when your Slashdot corporate karma is "excellent".
But seriously, OpenID needs more then a face lift. For starters, based on my experience with Stackoverflow, browsers need to auto-fill the OpenID box with my URL, er, login name (cough). Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail. Oh, and then when they are done with that, how about moving it down the network stack so that the damn thing can be used to authenticate against protocols other then HTTP, like say, IMAP or something. Oh wait, except OpenID was never intended to be used to authentication... or was it? Nobody really knows because even OpenID proponents says you shouldn't use it for anything other then trivial accounts and if you use it for anything else, you are mis-using the spec!
Google is a research company; they're doing research. They are improving OpenID, in their opinion. Nobody relies on Google OpenID, they haven't stepped up to make an OpenID implementation and then started adding extensions, and finally broken compatibility to force conversion to their special vendor-locked-in crap. They've come out and said, "We are going to implement something new, based on OpenID."
Wait until Google Docs stops exporting to deprecated MS Word 97 format (and ignorers .docx entirely), but does export to Google Document Format for their new Google Desktop Office; then you'll see Microsoft behavior.
Support my political activism on Patreon.
I use my site as a provider and every site that I've come across asking me to log in with my OpenID (LiveJournal included) accepts it just fine. That's the idea behind OpenID, you can get your ID anywhere, you can even provide it yourself, and every site claiming to be OpenID compatible MUST accept it when you try to log in with it.
1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?
2. How close is what they are doing to the latest version of the standard, not 1.0?
3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?
4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?
Bruce
Bruce Perens.
There IS a difference between "embrace and extend" and "extend right away": sneakiness.
Google lacks something both MS and Apple are going to enjoy for a long time: user lock-in via proprietary formats, DRM and/or user training.
Google has much less leverage to become evil by abusing lock-ins... hence less evilness.
The Cloud - because you don't care if your apps and data are up in the air.
I've got one word for you
Huh? No seriously. Huh?
OpenID is just so damn unintuitive that nobody really gets it. It is a fucking login. Why can't it be an email address? Why can't it resolve the right place to conduct authentication business via DNS the same way SMTP gets it's MX record based on everything after the @domain.com?
Seriously, the more people try to explain it, the more it just makes peoples eyes glaze over. All they see, and all I see, is a fugly looking URL that is supposed to magically authenticate me, only as a web developer, I'm told I can't actually trust the authentication because the protocol wasn't designed for it. Or something. My head spins now.
I'd really hope that whoever owns the OpenID trademark comes after them and forces them to stop calling whatever they're doing "OpenID". If it's not compatible with an existing specification, it's not OpenID. They will risk seriously devaluing their trademark if they allow incompatible implementations to use the name. They need to be ruthless about this. Google can do whatever it wants and call it "GoogleID", but if it's called "OpenID", it needs to be compatible with everyone else claiming to be that.
http://openid.net/what/ says:
... OpenID is not owned by anyone, nor should it be. ...
And considering the guy that created OpenID (Brad Fitzpatrick) now works for Google, and Google has a seat on the board of OpenID, I don't see much happening
Dear AC,
This is an understandable assumption but doesn't reflect the facts. For example, Symbian has purchased consulting services from me. If you look here, you'll notice that I am not afraid to criticize them.
Had Google taken me on and allowed me to work on the PR for this, I would have had them communicate about it differently. It's no trouble for Google to get this stuff back into OpenID, but they obviously didn't take the trouble to assure people that would happen.
Bruce
Bruce Perens.
The cycle of a hip young company usurping the stagnant incumbents, only to become a stagnant incumbent itself, continues.
Where is Google's successor?
I'll be the first (albeit a little late) to admit I thought Google was pulling a MS for a moment. So what would call for revising the standards? Well let's say you have a lemonade stand. What if your normal set-up doesn't provide all the things you (and your customers) would like out of your lemonade stand? That's where you go out and implement these features. Google would find out what the users would like and then make it happen. MS would start selling orange juice. Now wait, that's not what NORMAL lemonade stands do! Well you're right. If a standard itself is causing problems for the user and the operator than there's more than likely a problem with the standard. (Or you have really bad operators.) If the changes were for the better, other stands of the like will do the same. Eventually, you bring forth better standards. This, like the lot of things is a double edged sword as we also end up with a lot more orange juice stands. They haven't wronged (me) us yet, anyhow.
Having implemented OpenID 1.1 Relying Party support myself, I think I can definitely see what Google is up to, and it isn't evil, people. OpenID 1.1 was elegant simplicity. Our team built OpenID Relying Party support in just a couple of days without even using any external libraries. OpenID 2.0, on the other hand, is a disaster. Its architecture reeks of design-by-committee. There were four different groups vying to define the standard for single-sign-on for the web, so what did they do? They basically just glommed all of the different technologies together and called it OpenID 2.0. There are all sorts of things you have to support, like I-Names (which no one is going to use). In the end our team decided to just implement OpenID 1.1 and rely on the recommendation for backward compatibility which is built into OpenID 2.0 (a recommendation which Yahoo ignored, btw).
So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."
It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.
Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.
Tired of FB/Google censorship? Visit UNCENSORED!
It's open development if the extension is as open as the original standard. It's not an accepted standard until the standards group accepts the extension.
Is it an Open Standard if you can't extend it openly? I am entirely against closed extensions to open standards, and unnecessarily incompatible extensions, the classical "Embrace, Extend, Extinguish" stuff. But I am equally against standards being a ball and chain that prohibits further innovation. You should be able to produce an extension that you make open on the same terms as the original standard.
It looks to me as if Google is attempting to hit OpenID with a clue stick on a really obvious issue, saying "Normal folks use email addresses to log in, dummies!". And I am being told that what they are doing is really close to OpenID 2.0.
Bruce
Bruce Perens.
Embrace, Beta, Languish!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
That's not true.
They've provide a spec on its (fairly trivial) interaction (since developers couldn't use it otherwise), and they've provided recommendations and rationale on implementation approaches and UI design to support this approach (includign recommendations which presuppose other IDPs will also be using this design.) Other than actually providing a reference implementation of the black box (which is fairly simple: you send it an HTTP GET request and it responds with an XRDS document whose only interesting bit (and the only thing whose content isn't fixed) is the OpenID provider endpoint to URL to use -- if you can't implement a version of that for your own OpenID provider, you probably don't have any business implementing any kind of web application, OpenID provider or otherwise.
See Google's documentation here.
Once Google became a publicly traded company their only obligation transitioned to making a profit for their shareholders.
Yeah that sucks but it's reality.
Google: We do less evil than everyone else(tm)
Let the backlash and my modding down begin!
I cannot overemphasis the need to actually read the articles: Google is not supporting OpenID 1.0, they are supporting OpenID 2.0. This is exactly as they claim in the first article. The sensationalist second article linked above is claiming they somehow extended OpenID 1.0, when really it was the OpenID designers who extended it into its second form. Google is embracing the protocol as it exists.
If I were Google, I would demand a retraction from this guy for pushing this libelous garbage.
Fork it! We'll do it live!
Brad Fitzpatrick the creator of OpenID is working for Google now.
Maybe he knows better what they are doing.
What a ridiculous headline.
To quote from the actual posting, "The initial version of the API will use the OpenID 2.0 protocol"
This version was developed by OpenID, and is incompatible with 1.0, but open in the same way for everyone to use, with a number of improvements... Google is forking nothing.