Oct 04 2008

Why openID will fail

Martin Strandbygaard just gave an introductory talk about openID, at Open Source days in Denmark, Given the recent discussion about openID and security, mostly the phishing opportunities it created I was interrested to hear the talk.

Yes I have an openID, I use it at like 2-3 sites.. why.. because most of the sites haven't adopted yet..
Martin gave an overview of different sites already allowing people to use openID to log on. And also which sites today allow you to create an openid identity with them that you then can use elsewhere. Yes you can use your LiveJournal, or Yahoo Account as an OpenID. I'm not doing that. I'm running my own Open Source Open ID server (funny he didn't touch that subject).

When he continued to discuss adoption he mentionned that even the company from RedMond was starting to allow people to logon with their OpenID , however just an OpenID from a restricted set of OpenID servers.

I asked where on the Yahoo site I could log on using an OpenID, and my fear was confirmed, you can't. So yahoo indeed is promoting OpenID, but why .. so they can see which other services their users are using so they can quickly acquire them ?

And according to Martin different other sites that allow OpenID authentication are gearing towards allowing just a limited set of OpenID services, the ones that they have partnerships with.

Now I don't want to use a 3rd party OpenID server, I have my own.. I want to control my own data. For services that use the above mentionned mode, trusting a limited set of openidproviders, my presonal OpenID is useless. I would once again endup having to sign up with different OpenID servers , which kind of makes the whole idea of not having to keep different username/password combinations around void :(

One of the questions from the audience was about how strong the authentication of an OpenID logon was. fact is that you can make it as strong as you want. If you build an OpenID server you could go with plain text authentication over http, basic authentication over https or even build an authentication system based on a challenge response framework.
The bigger question however is how and what data goes to the OpenID consumer.

So apart from the existing security challenges today , there are a lot of organisatins claiming to support OpenID, while they actually aren't, and that's the first blocking factor for quick openID adoption. And the ones that are adopting aren't doing it open enough.

I fear it was a nice attempt .. but I don't really think it's going to be a big success.
It should have taken of allready ..

May 28 2008


I'm getting second thoughts about OpenID.

Here's why.

Feb 01 2008

Microsoft to Buy Yahoo ?

Lots of rumours about Yahoo wanting to dump a significant part of it's personnel have been overwhelmed by the new news that Microsoft wants to buy Yahoo.

Let's stand still for 5 seconds to think about that impact :

First of all.. they are buying a lot of advertising and content , a field where they were currently losing market share. But they are buying more.

They are buying into the mindset of startups, Flickr, Upcoming, and others.. something they have long lost ..

Bort just made an interesting point in realising that in with Microsoft buying Yahoo, that would also include buying Zimbra, and lots of other open source technology. What about openID, will they make their own MS-OpenID ?

Will they make the same mistake they made when buying Hotmail ?

Will yahoo still need to let people go or will they leave themselves because of this ?
Lots of questions .. time will tell.

Jan 18 2008

Yahoo and OpenID

Peter points us to Yahoo and openID. While I applaud adoption of OpenID, I`m looking at the Yahoo configuration panel where I link my own self managed openid to my Yahoo account.

I don't need a 3453rd openid provider .. I have one that I manage myselve.. I just want to use it more often.