Google Adopts, Forks OpenID 1.0 316
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
Sorta defeats the purpose yes? (Score:2, Interesting)
I mean, if I can't use my Gmail address to logon to websites that actually support OpenID, then why would I bother? Not only that though, does it support non Google addresses hosted on Google Apps? (E.g. sexygrrl@example.com)? If not, then even bigger fuck off to it.
Meh, sounds a bit like another "Passport", fuck that, I don't want a big (or little) corporation controlling my ID.
Anyway for the ignorant and lazy:
http://en.wikipedia.org/wiki/OpenID [wikipedia.org]
using email as login (Score:2, Interesting)
insert foaming (Score:5, Interesting)
You see, it is OPEN, right? I mean, it says so right in the name of the protocol *OPEN*ID right? And google is cool right? So OpenXyz + Google = Win, right? I mean, OpenID sucks, right? What is wrong with somebody embracing it and then fixing the problems by extending it to be better? Nothing. After all, it is OpenID.
I think if I ever start a company that publishes the most evil DRM spec on earth, I'd probably name it OpenDRM or FreeDRM just so I can win over the Slashdot crowd. As long as it has Open or Free in the name, you can pretty much get away with murder, especially when your Slashdot corporate karma is "excellent".
But seriously, OpenID needs more then a face lift. For starters, based on my experience with Stackoverflow, browsers need to auto-fill the OpenID box with my URL, er, login name (cough). Then they need to boot out any fool who things the "login" should be anything other then an email address. Whoever dreamed up using a URL for a login wanted the spec to fail. Oh, and then when they are done with that, how about moving it down the network stack so that the damn thing can be used to authenticate against protocols other then HTTP, like say, IMAP or something. Oh wait, except OpenID was never intended to be used to authentication... or was it? Nobody really knows because even OpenID proponents says you shouldn't use it for anything other then trivial accounts and if you use it for anything else, you are mis-using the spec!
Re:so lets see slashdot bias at work (Score:1, Interesting)
Yes, but Google seems to get everything right when it comes to online technology, while Microsoft has a history of either being shortsighted or behind. When they do catch up, they usually do it wrong, or worse. Just look at Windows Live Mail, or their OOXML format(not web related per se, but definitely worse than both doc and odt, and an example of them choosing their own worse way of doing something).
Mind you, Google isn't perfect - I remember their page prefetcher beta was pretty messed up - but I'd trust their experts(when it comes to web stuff) over Microsoft. And since they're basing it on user feedback, they're probably also listening to a large number of independent web developers.
-Anonymous Coward
Re:Google... learning more from Microsoft everyday (Score:1, Interesting)
Yes, except just yesterday Microsoft joined OpenId, _without_ this sort of stunt.
_without_ this sort of stunt YET.
Re:It doesn't matter.... (Score:4, Interesting)
Re:Google... learning more from Microsoft everyday (Score:4, Interesting)
IMHO, microsoft's behavior in the last few years is to be commended
Yeah, they behaved so well during the whole OOXML/ODF stuff.
they are worlds away from where they were 10 years ago.
One half-assed attempt at a good deed (that isnt actually good in any real way as they're only providing OpenID not accepting it from others) doesn't erase decades of screwing people over.
Re:Stop your complaining (Score:2, Interesting)
How to judge what's going on (Score:5, Interesting)
1. Do they make it possible for everyone else to implement exactly what they are doing, on both the producer and consumer end, without any patent restrictions, royalties, or discriminatory licensing?
2. How close is what they are doing to the latest version of the standard, not 1.0?
3. Do they try to get what they are doing into version 2.1 (or whatever) of the standard?
4. Do they really have a reason for doing this? Like making the login easier for normal nontechnical people rather than you and I?
Bruce
Re:Google... learning more from Microsoft everyday (Score:2, Interesting)
Re:so lets see slashdot bias at work (Score:4, Interesting)
Hell, I honestly think it's possible to root for Microsoft these days. .NET, including the stuff they've just announced, is an open standard, and MS is encouraging competing implementations. They're working with Mono to ensure it has good Silverlight support, including proprietary codecs. They have their own cloud service, yet worked with Amazon so that Windows could be on EC2. They offer a free version of VisualStudio that's more than sufficient for hobbyist work, and ironically arguably have the most open and easy-to-target 3rd-gen gaming console for small development shops. They're supporting OpenID, making IE increasingly standards-compliant, and, with Windows 7, look like they might actually have a pretty nice operating system that I might not feel a pressing need to migrate away from. They're definitely not perfect—I'm still royally pissed at their behavior over OOXML—but they're doing an awful lot of things right these days.
Google, on the other hand, is going the opposite direction. They've done a proprietary fork of OpenID (which, despite the other comments on here, I definitely find offensive, because locks you into Google in exactly the same way Passport locked you into Microsoft). They closed their SOAP service and offer no alternative. They've basically said Gmail will never use IMAP properly, and they consider that a feature, not a bug. They do business in China on the argument that "well, someone had to do it, so why not us." They still do a tremendous amount of things right, but, just as I think we should acknowledge that Microsoft nowadays is doing a lot of things right, I think we need to start acknowledging that Google is doing a lot of things wrong.
Nobody's perfect, and situations can change surprisingly quickly. I remember when IBM was the evil overlord and Microsoft was our savior.
That was 1992.
Just because Google's been good up to now is no reason to assume they'll continue to be.
Re:Slightly Conflicting Vision Statements (Score:5, Interesting)
To make matters even more confusing, Microsoft has embraced, but not extended.
Re:How to judge what's going on (Score:3, Interesting)
I'm not sure about #3. It might be a lost cause because standards generally don't much like breaking compatibility. Still, I guess it couldn't hurt for them to try.
Re:Slightly Conflicting Vision Statements (Score:1, Interesting)
funny that openid's creator works for google :>
Snarky AC comment (Score:4, Interesting)
Dear AC,
This is an understandable assumption but doesn't reflect the facts. For example, Symbian has purchased consulting services from me. If you look here [theregister.co.uk], you'll notice that I am not afraid to criticize them.
Had Google taken me on and allowed me to work on the PR for this, I would have had them communicate about it differently. It's no trouble for Google to get this stuff back into OpenID, but they obviously didn't take the trouble to assure people that would happen.
Bruce
Re:Google... learning more from Microsoft everyday (Score:4, Interesting)
I'm not saying what Google is doing is right but they're just getting to the point where as MS was taking the slow route to the same destination.
Re:Google... learning more from Microsoft everyday (Score:3, Interesting)
No joke. When I first read the summary, my first thought was that this will finally shut the naysayers up about Google being evil. This is almost exactly the sort of thing for which people have criticized Microsoft.
I say "almost" because there are a few things yet to be seen:
The big problem with Microsoft's EEE philosophy is from an interoperability standpoint. Reverse-engineering is difficult, and they know it. Even if Microsoft forked a protocol and added in their extensions for the purpose of ease-of-use, the fact that they didn't share the changes with the rest of the world made it look like a marketshare grab.
Forking a project is not, in general, a bad thing. What's bad is when something is forked and made proprietary. We'll have to watch Google closely on this one.
Re:How to judge what's going on (Score:5, Interesting)
The string typed in is sufficiently different from what OpenID uses today that it would be easy to disambiguate. Putting this in an OpenID library, without increasing complication to the library user, sounds easy enough.
I think what Google is saying here is that if 99% of users are used to typing in their email address, and not used to typing in a URL as their ID, you should try to make your ID scheme work with an email address rather than invent something new. This actually sounds sensible. But I haven't looked very deeply and would be happy to hear from folks with more expertise.
Bruce
Google sees the problem with OpenID 2.0 (Score:5, Interesting)
So it's very possible that some engineers at Google said "hold on a minute. This sucks. OpenID 1.1 made a lot more sense, let's build out from there and see if it's something that the Internet community accepts."
It may even come to pass that both OpenID 2.0 and Goopen-ID both end up specifying backwards compatibility to OpenID 1.1, which would be great because it would effectively halt the progress of the over-engineered OpenID 2.0 and put us back on a saner path.
Let's not call Google's plans evil until we see where this goes. It could end up being something that finally puts this useful technology into some widespread use.
Re:How to judge what's going on (Score:4, Interesting)
Re:Why OpenID fails (Score:3, Interesting)
Of course it is, you'll have to trust that I will not disclose it to other people and instead let you pick a nickname.
Quite frankly, if you aren't willing to at least offer a way to contact you, I'm not interested in letting you post a comment. Remember I have to trust you aren't gonna spam the bajesus out of my site too! A random OpenID URL offers me no assurance you aren't just some comment spammer.
You have to trust I wont leak your email, and I have to trust you are a real person, not a comment spammer. That whole trust think swings both ways, you know.
Google's Docs (Score:3, Interesting)
That's not true.
They've provide a spec on its (fairly trivial) interaction (since developers couldn't use it otherwise), and they've provided recommendations and rationale on implementation approaches and UI design to support this approach (includign recommendations which presuppose other IDPs will also be using this design.) Other than actually providing a reference implementation of the black box (which is fairly simple: you send it an HTTP GET request and it responds with an XRDS document whose only interesting bit (and the only thing whose content isn't fixed) is the OpenID provider endpoint to URL to use -- if you can't implement a version of that for your own OpenID provider, you probably don't have any business implementing any kind of web application, OpenID provider or otherwise.
See Google's documentation here [google.com].
Re:Google sees the problem with OpenID 2.0 (Score:2, Interesting)
Re:And this is why... (Score:3, Interesting)
``This is the first "publically-visible" sign of their slide into Microsoft-like evilness''
Not even close. They have been doing much more questionable things for a long time now.
Re:Why OpenID fails (Score:3, Interesting)
I'm willing to provide the URL of my blog. With that information, you can find out quite a bit about me, or not, without my knowledge, and you can also contact me if you choose. An e-mail address can be generated and thrown away just as easily as an OpenID. The whole point of signing in is to create a consistent identity. It doesn't actually matter if you can contact that identity. What better anchor for such an identity than a URL, which can, at the discretion of the user point an interested party to a variety of additional information or none at all?
I allow anonymous comments on my blog because if someone has feedback to give, I don't want to put any barriers to that feedback. If they wish to provide an identity, they can do that as well, but I'm not going to force them.
Sites that rely on user-generated content have a vested interest in getting users to participate. The lower the barrier to participation, the more likely a new person is to start using the service, and eventually, if it is in mutual interest, provide an e-mail address, or whatever other information is desired.
Re:Snarky AC comment (Score:2, Interesting)
The great thing about open standards is that they are open, so if they are deficient, you can change them too, and build a derived standard.
I am skeptical that this is all a major security risk in any case, and I fail to see the risk as being mitigated by Google's tweaks.
We have problems with phishers already.
If being redirected from a third-party website to a Google username/password box becomes de-facto standard for login to third-party sites, then:
I see a major risk being a malicious site that displays a "fake" openid login box.
One that either convinces the user to submit their Google password to the site operator instead of google, or that redirects the user to a fake "Google login" splash page, where the same happens.
For single signon to be safe and secure, it seems to me imperative, that the password entry and access approval be done through the browser itself, in a more secure way, rather than through a standard web form, so easily manipulated.
Re:Snarky AC comment (Score:3, Interesting)
Easiest way to log out using browser authentication? Throw a 403 when the browser sends its credentials. They get in a huffy and demand the user give them new ones.