On 29/11/2008 14:22, Rob wrote: > maybe openid is something usefull to support ?
I did an openID implementation recently, partly as an experiment and partly because the login module was going to be replaceable, so I thought it might be quicker (I was wrong). I did both ends in fact because one thing I wanted to to was to make logins already established on one web site which I had control over (e.g. like OSM) authenticate users on another new partner site (though, of course, you could use any other openID provider you wanted). I used existing libraries of course - I didn't implement my own. My experience was (a) that it worked, (b) that it was incredibly slow. It has to bounce back and forth between two, sometimes three, different web sites several times and do some amazingly complicated maths on the way. It was especially slow the first time someone logs on (after which it has some stuff cached, but isn't a very nice first impression) (c) I ended up still having to do an email validation by sending a token to be returned, in order that I could communicate with them. The provider I set up was able to send a validated email address along with authenticating the identity, but I failed to get Yahoo or Verisign (openID providers) to give me email addresses even when I had turned on the option to say I was willing to have these transmitted (which not everyone would necessarily do). Email2ID can work as an intermediary so you can use an email address to log in, and that could do validation, but the point of openid is you can use the provider of your choice. Email2ID was unusably slow in its email turn round times. (d) It is widely asserted on discussions about openID that end users are confused about using a URL as an identity. I think I'd agree in general but in my case, and in OSM's, we're dealing with a reasonably technically literate user base. I think I'm going to leave the openID login on my site but allow them to specify a password alongside the identity so that once they've verified the identity once with the third party, they can log in directly to my site without the openID overhead. OpenID is a nice idea, but the advantage of a cross site login is lost in the overhead of using it in my experience. The biggest criticism of openID is the vulnerability of users to identity theft: a user can be phished by an unscrupulous site into entering their login details at a site which looks like their openID provider but isn't, and therefore lose their password - which of course gives the intruder access to not one but a wealth of sites used by the victim. That is probably not too big a deal if the sites you log into merely need to know who you are in order to identify what user does what, as in OSM, but I would be wary about using it in any financial situations or for email accounts and that kind of thing. So on balance I think I'd say don't bother - just re-register with the same name and password at the partner site. David _______________________________________________ dev mailing list [email protected] http://lists.openstreetmap.org/listinfo/dev
