Link Details

why?

I'll assume you're asking why one would use OpenID, and therefore demand that more sites support it.

* Single sign-on. Only need to remember one username and password.
* I don't trust unknown developers with my personal info (email, unencrypted password, etc. see reddit debacle),
* To build an online identity. I am jjw.myopenid.com everywhere I use that OpenID.

1) Fair enough
2) You're still trusting unknown developers, and now there's a central point that can see from the requests they are getting which sites you are visiting
3) Fair enough... Not a very catchy id though is it?

I think the use of openId is somewhat controversial... I mean I would gladly use it anywhere I use "pentolino" because it is a "not-completely-seriuos" id, although I sometimes use it to write something interesting (hopefully).
But I'm not sure I would gladly sign up to openId using my real name, or something that can be led to me as a "true" person; unless the openId server is run by myself or someone I personally trust (no govermenment or corporation/organization falls in this category of course).
Anyway thumbs up for this link!

@bloid, I'd have to agree that you have a valid point here. In the end, you'd need to trust somebody with your credentials. It is about trusting a large number of sites/persons with your credentials vs. trusting a single site/few persons.

But you're trusting a single site, or a few people with a much larger pool of data about you.

Those people will now know all the sites you log in to (and taken to the extreme, could log into pretending to be you). And all this centralised information could end up a data-miners dream... Look at all the arguments over the Phorm debacle...admittedly, that was browser tracking on a much grander scale, but I feel there are possible similarities

I'm just saying that without this argument, the Pro OpenID arguments seem to consist of

1) I don't want to remember more than 1 password
2) I want to have a single identity across the web

#1 seems a trifle lazy but I can see the point, and #2 I don't necessarially agree with, as surely that's one of the points of the web. Whilst the relative anonymity it brings does make it a haven for trolls and pornographers, it also allows people much greater freedoms to be what they want to be online regardless of their real-world persona.

Couple this with my trust issues, and you can see why I'm not a fan

I am perfectly willing to accept the fact that time may prove me wrong however (it has on many things I can tell you), this is just a snapshot of my current thoughts on the matter... As I say, in a year or two, they may be all proved to be garbage ;-)

@jjw.myopenid.com, yes you are right... OpenID is going to be the future and already some of the major sites have started to support it

For those of you who are new to OpenID, there is a good presentation available at http://wso2.org/library/3593
,

Of course major sites support it, it is in their advantage to do so.

I don't know if having one password and user name to all the sites you log into is something that everybody wants. And this sounds like a trivial thing to have in comparison to exposing yourself to a much greater security threat. So what if your OpenID account gets hacked, then that means all the rest of the sites you login with gets hacked too?

I'd rather take note of my account names and passwords.

Another good point

"I don't know if having one password and user name to all the sites you log into is something that everybody wants. And this sounds like a trivial thing to have in comparison to exposing yourself to a much greater security threat. So what if your OpenID account gets hacked, then that means all the rest of the sites you login with gets hacked too?"

The exact question is answered well in the presentation pointed out by Azeez : http://wso2.org/library/3593

Also, I answer the same question in my blog post : http://blog.facilelogin.com/2008/04/why-openid.html

Further you can also go through this podcast as well... http://wso2.org/library/3518

Thanks.

- Prabath

@prabath, there is some risk when the OpenID password is compromised. Until such time you realize that your password has been compromised, the attacker can login to your sites using your ID and steal your information. Therefore, there are scenarios in which OpenID will not be appropriate. Anyway, having a single form of authentication is always a risk. That is why sites requiring very high security, like Banks, incorporate at least 2 forms of authentication; something you know (password, security question etc) and something you possess (e.g. RSA token)

However, in my case, for the developer sites I visit daily like DZone http://www.dzone.com TSS http://theserverside.com OxygenTank http://wso2.org I'd prefer to use my OpenID. Therefore, one cannot say OpenID should be enabled by all sites or that OpenID is totally useless. Like any other technology, it has to be used in the appropriate areas.

So "demanding" openID login to all the sites you visit each day may not be a sensible thing to do? ;-)

... unless you are a developer who signs into several developer portals each day ;-)

OpenID started small.. it had many security concerns in it's 1.1 version... but now.. the community is taking it forward. OpenID2 addresses many of the security issues found in 1.1.

As per myOpenID, there are more than 13000 OpenID relying party web sites today and it's natural the community is demanding for this choice.

That doesn't mean each and every web site should support OpenID login - but... many of the community web sites will go in that direction.

OpenID adds the support for multi-factor authentication with PAPE specification. Given the fact that RP trusts OP, then RP can rely on the OP for authenticating the user in a multi factor manner.