On Mon, Feb 1, 2010 at 9:54 PM, Michael A. Peters <mpet...@mac.com> wrote:
> Daevid Vincent wrote:
>>> -----Original Message-----
>>> From: Al [mailto:n...@ridersite.org] Sent: Monday, February 01, 2010
>>> 12:09 PM
>>> To: firstname.lastname@example.org
>>> Subject: [PHP] OpenID
>>> This is a bit off subject, but....
>>> What is your opinion on OpenID?
>> Failed gimick. Tried to resurface again about a year ago. Still seems like
> Session ID hijacking is bad enough, it gives the malicious user access to
> one resource.
> OpenID hijacking gives the malicious user access to a ton of resources.
> And what does a user do when their OpenID provider disappears?
I think Michael hit the nail on the head as far as my concerns are.. well..
concerned. :) Google's OpenID provider seems like it would be around forever
and whatnot, but if you're going to rely on one of the "big" OpenID
providers, then it would appear that OpenID itself is useless. Facebook's
OpenID, etc., are on shaky ground at best.
I use a few sites that leverage OpenID as their login process, and I've got
to say--it's very convenient. However, I only use my Google account for
OpenID logins, so to me, it's really just a Google connector.
I commend everyone involved for their effort, but I think the underlying
principles need to be re-examined. It feels like they rushed the whole
concept into production before too many of the fundamental issues had been
discussed and dealt with.