Re: Google OpenID is now live

2008-04-10 Thread James Henstridge
On 10/04/2008, Vinay Gupta [EMAIL PROTECTED] wrote:
 I think that kind of misses the point. The *namespace* that google manages
 is now open for business as an OpenID provider. It's an unanticipated
 side-effect of the APIs.

 I think it's kind of a big deal, actually, in terms of how OpenID is right
 from an engineering perspective and how it can spread in unexpected ways. If
 only login were so easy.

This service seems pretty much equivalent to Simon Willison's
idproxy.net service for Yahoo accounts.

The big difference between this sort of service and actial OpenID
Provider support from Google/Yahoo is a matter of trust.

With an OP run by Google, the user needs to trust Google.  With this
OP, the user needs to trust whoever is running the OP not to
impersonate them.  Given the lack of contact information, I'd be
hesitant to use identities managed by that service and would not
recommend others rely on it.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Google OpenID is now live

2008-04-10 Thread Brad Fitzpatrick
On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge [EMAIL PROTECTED]
wrote:

 On 10/04/2008, Vinay Gupta [EMAIL PROTECTED] wrote:
  I think that kind of misses the point. The *namespace* that google
 manages
  is now open for business as an OpenID provider. It's an unanticipated
  side-effect of the APIs.
 
  I think it's kind of a big deal, actually, in terms of how OpenID is
 right
  from an engineering perspective and how it can spread in unexpected
 ways. If
  only login were so easy.

 This service seems pretty much equivalent to Simon Willison's
 idproxy.net service for Yahoo accounts.

 The big difference between this sort of service and actial OpenID
 Provider support from Google/Yahoo is a matter of trust.

 With an OP run by Google, the user needs to trust Google.  With this
 OP, the user needs to trust whoever is running the OP not to
 impersonate them.  Given the lack of contact information, I'd be
 hesitant to use identities managed by that service and would not
 recommend others rely on it.


James,

openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
who also did most the work (including all the initial work) on Blogger's
OpenID support:

References:

http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
http://snarfed.org/space/2008-04-07_google_app_engine_launched
http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Further, App Engine apps don't process user credentials directly.  They go
through an OpenID-like auth process with Google, who actually processes the
email/password and tells the App Engine app that somebody logged in, at what
email.  You can verify this yourself by looking at the form targets and HTTP
traffic.  See:

http://code.google.com/appengine/docs/users/

So I'd say you can pretty much trust an openid-provider.a.com assertion that
the person has a Google account.   But like others have said, it's not an
official Google product.

Brad
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Google OpenID is now live

2008-04-10 Thread James Henstridge
On 10/04/2008, Brad Fitzpatrick [EMAIL PROTECTED] wrote:
 On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge [EMAIL PROTECTED]
 wrote:

 
  On 10/04/2008, Vinay Gupta [EMAIL PROTECTED] wrote:
   I think that kind of misses the point. The *namespace* that google
 manages
   is now open for business as an OpenID provider. It's an unanticipated
   side-effect of the APIs.
  
   I think it's kind of a big deal, actually, in terms of how OpenID is
 right
   from an engineering perspective and how it can spread in unexpected
 ways. If
   only login were so easy.
 
  This service seems pretty much equivalent to Simon Willison's
  idproxy.net service for Yahoo accounts.
 
  The big difference between this sort of service and actial OpenID
  Provider support from Google/Yahoo is a matter of trust.
 
  With an OP run by Google, the user needs to trust Google.  With this
  OP, the user needs to trust whoever is running the OP not to
  impersonate them.  Given the lack of contact information, I'd be
  hesitant to use identities managed by that service and would not
  recommend others rely on it.

 James,

 openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
 who also did most the work (including all the initial work) on Blogger's
 OpenID support:

 References:

 http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
 http://snarfed.org/space/2008-04-07_google_app_engine_launched
 http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Okay.  It wasn't clear who was running the service just by looking at
the URL originally posted.


 Further, App Engine apps don't process user credentials directly.  They go
 through an OpenID-like auth process with Google, who actually processes the
 email/password and tells the App Engine app that somebody logged in, at what
 email.  You can verify this yourself by looking at the form targets and HTTP
 traffic.  See:

 http://code.google.com/appengine/docs/users/

 So I'd say you can pretty much trust an openid-provider.a.com assertion that
 the person has a Google account.   But like others have said, it's not an
 official Google product.

I realise that Google's authsub service doesn't reveal a user's email
+ password to the relying site (in this case
openid-provider.appspot.com).  If you are using an OpenID provider
that I control, you are trusting me not to add a backdoor that lets me
authenticate to RPs as your identity URL.  And given the way OpenID
works, I'd have a pretty good idea of which RPs to go after.

Based on the info in the links you provided it is probably safe to
trust the site not to do these things, but it is not clear from the
information on that site alone.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs