Re: Google OpenID is now live
On 10/04/2008, Brad Fitzpatrick <[EMAIL PROTECTED]> wrote: > On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <[EMAIL PROTECTED]> > wrote: > > > > > On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote: > > > I think that kind of misses the point. The *namespace* that google > manages > > > is now open for business as an OpenID provider. It's an unanticipated > > > side-effect of the APIs. > > > > > > I think it's kind of a big deal, actually, in terms of how OpenID is > right > > > from an engineering perspective and how it can spread in unexpected > ways. If > > > only login were so easy. > > > > This service seems pretty much equivalent to Simon Willison's > > idproxy.net service for Yahoo accounts. > > > > The big difference between this sort of service and actial OpenID > > Provider support from Google/Yahoo is a matter of trust. > > > > With an OP run by Google, the user needs to trust Google. With this > > OP, the user needs to trust whoever is running the OP not to > > impersonate them. Given the lack of contact information, I'd be > > hesitant to use identities managed by that service and would not > > recommend others rely on it. > > James, > > openid-provider.appspot.com was written by a Google engineer, Ryan Barrett, > who also did most the work (including all the initial work) on Blogger's > OpenID support: > > References: > > http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM > http://snarfed.org/space/2008-04-07_google_app_engine_launched > http://snarfed.org/space/2007-12-02_openid_comments_in_blogger Okay. It wasn't clear who was running the service just by looking at the URL originally posted. > Further, App Engine apps don't process user credentials directly. They go > through an OpenID-like auth process with Google, who actually processes the > email/password and tells the App Engine app that somebody logged in, at what > email. You can verify this yourself by looking at the form targets and HTTP > traffic. See: > > http://code.google.com/appengine/docs/users/ > > So I'd say you can pretty much trust an openid-provider.a.com assertion that > the person has a Google account. But like others have said, it's not an > official Google product. I realise that Google's authsub service doesn't reveal a user's email + password to the relying site (in this case openid-provider.appspot.com). If you are using an OpenID provider that I control, you are trusting me not to add a backdoor that lets me authenticate to RPs as your identity URL. And given the way OpenID works, I'd have a pretty good idea of which RPs to go after. Based on the info in the links you provided it is probably safe to trust the site not to do these things, but it is not clear from the information on that site alone. James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Google OpenID is now live
On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <[EMAIL PROTECTED]> wrote: > On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote: > > I think that kind of misses the point. The *namespace* that google > manages > > is now open for business as an OpenID provider. It's an unanticipated > > side-effect of the APIs. > > > > I think it's kind of a big deal, actually, in terms of how OpenID is > right > > from an engineering perspective and how it can spread in unexpected > ways. If > > only login were so easy. > > This service seems pretty much equivalent to Simon Willison's > idproxy.net service for Yahoo accounts. > > The big difference between this sort of service and actial OpenID > Provider support from Google/Yahoo is a matter of trust. > > With an OP run by Google, the user needs to trust Google. With this > OP, the user needs to trust whoever is running the OP not to > impersonate them. Given the lack of contact information, I'd be > hesitant to use identities managed by that service and would not > recommend others rely on it. James, openid-provider.appspot.com was written by a Google engineer, Ryan Barrett, who also did most the work (including all the initial work) on Blogger's OpenID support: References: http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM http://snarfed.org/space/2008-04-07_google_app_engine_launched http://snarfed.org/space/2007-12-02_openid_comments_in_blogger Further, App Engine apps don't process user credentials directly. They go through an OpenID-like auth process with Google, who actually processes the email/password and tells the App Engine app that somebody logged in, at what email. You can verify this yourself by looking at the form targets and HTTP traffic. See: http://code.google.com/appengine/docs/users/ So I'd say you can pretty much trust an openid-provider.a.com assertion that the person has a Google account. But like others have said, it's not an official Google product. Brad ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Google OpenID is now live
On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote: > I think that kind of misses the point. The *namespace* that google manages > is now open for business as an OpenID provider. It's an unanticipated > side-effect of the APIs. > > I think it's kind of a big deal, actually, in terms of how OpenID is right > from an engineering perspective and how it can spread in unexpected ways. If > only login were so easy. This service seems pretty much equivalent to Simon Willison's idproxy.net service for Yahoo accounts. The big difference between this sort of service and actial OpenID Provider support from Google/Yahoo is a matter of trust. With an OP run by Google, the user needs to trust Google. With this OP, the user needs to trust whoever is running the OP not to impersonate them. Given the lack of contact information, I'd be hesitant to use identities managed by that service and would not recommend others rely on it. James. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
