What is Digg?Sponsored by Bing
How Many Calories Are In Alcohol? view!
bing.com - Handy guidelines help you get your drink on and keep the weight off.
46 Comments
- georgehotelling, on 10/12/2007, -2/+17I'm so sick of creating accounts on new sites just to try them out, I really hope OpenID catches on!
- Kakcoo, on 10/12/2007, -2/+14Digg's a mean machine
http://duggmirror.com/programming/HOW_TO_turn_your_blog_in_to_an_OpenID/ - nofxjunkee, on 10/12/2007, -1/+10bugmenot isn't going to work if you want to try something out such as flickr or digg. bugmenot doesn't work for the comments example in the article. in fact bugmenot only works for a small fraction of sites that require a sign up. did you RTFA?
- inactive, on 10/12/2007, -0/+8Ok for example yours is hosted at simonwillison.net, and it just got digg effected. Does that mean you can't log into any site until the server comes back up?
- georgehotelling, on 10/12/2007, -1/+7Your identity provider may require a password (or SSL cert, or keyfob number, or mother's maiden name, or...) but the site you're logging into doesn't get a password. They just get a cryptographically signed message saying you are who you say you are.
So if I'm using Vox as my OpenID identity provider and I want to log in to a hypothetical news site "OpenIDigg," I go to OpenIDigg's login page, put in my Vox URL and click submit. My browser is redirected to Vox who checks my cookie to see if I'm already logged in, and if not has me log in. My browser is then redirected back to OpenIDigg with a cryptographically signed message saying I am who I say I am.
I skipped a bit of the backend machinations, but that's how it works from the perspective of the user. - simonwillison, on 10/12/2007, -1/+6Aargh - this link just took out my virtual server. I'm scrabbling to get something up and running again.
- paulmdx, on 10/12/2007, -2/+6I notice clicking the link above also goes to DuggMirror. I was *really* impressed for a second as I thought Digg did the switch. I guess the original author must have a redirect..
- merr, on 10/12/2007, -1/+5OpenID is great but until more sites start supporting it, it's pretty useless. I would love to be able to use it everywhere.
- EricAnderton, on 10/12/2007, -0/+4Other good links about OpenID:
http://openid.net/
http://en.wikipedia.org/wiki/OpenID - kveton, on 10/12/2007, -0/+3albrad84: Check out our directory of OpenID enabled sites: https://www.myopenid.com/directory
This is by no means complete but it definitely gives you a good idea of what some of the sites that are using this technology are doing and how they integrated it.
Full-disclosure: I work for JanRain the company that runs MyOpenID.com ... :-) - albrad84, on 10/12/2007, -0/+3I think this is a great idea, but are there any (at least somewhat) major sites that allow openID authentication yet?
- georgehotelling, on 10/12/2007, -0/+3@illegal_op: bugmenot (the site and the add-on) is my friend, but it's not the same thing. If I want to see a NYTimes article that is the same no matter who you log in as, BugMeNot is perfect. If I want to try out an app that is personalized to me like the latest Web 2.13b todo list or photo sharing site, I need a unique login. This saves me the step of creating the login, I just put in my URL, sign in to my OpenID provider, and go. One less password to remember.
Plus, when sites like Reddit get their unhashed password database stolen, I don't even need to change my password (and yes, I use different randomly generated passwords for each site I use). - computerdude33, on 10/12/2007, -0/+3There's a nice WordPress plugin that lets you accept OpenID comments on your blog.
http://the-notebook.org/12/01/2006/openid-comments-for-wordpress/
It also works as an OpenID server, but I haven't been able to get that to work on my site. - francisew, on 10/12/2007, -1/+4Simon,
Lots of good ideas here. I'm all in favour of doing away with a zillion registrations. Except...
The unspecified server authentication step (though I'm sure that's no big shock to anyone), is a HUGE problem.
This is extremely dangerous, as if someone manages to fool the 'unspecified authentication step', then they've stolen access for all your logins. Imagine a million inapropriate comments posted under your name. Imagine that with eCommerce implications.
Furthermore, and unfortunately, most users are incapable of writing a helloworld.html file, let alone uploading via ftp to a server. The critical mass for implementation involves extending this to people outside the development community, which is very challenging.
How does a user choose the level of personal information authorized for a particular site? How does the user prevent a caching of the login to a particular site? It seems that if automatic login was enabled for the verification site, then a second user could come along and log into ANY site by simply typing in the openID that was used by the previous user for a single previous site. (which I'm assuming is the step which makes it more convenient than specifying the same login/password at every site)
Jelfurie's comment is also great: Do I lose my login priviledges to everything online if my site ever goes down (hosting, digg effect, hack)? If I lose my domain? If the blog URI changes structure? What about cross-site scripting hacks?
IEEEk (that's the sound of a committee of engineers shrieking in panic)
Francis - joliveira, on 10/12/2007, -0/+3I'm wondering the same thing ... I understand the first login using an openid "url" - where you have to authenticate the service that's wanting to use the openid "url". But what about the subsequent times the url is used for a login?
- albrad84, on 10/12/2007, -0/+3"You will be redirected to a page on your identity provider which will either ask you to log in or ask you to authorize the site to use your identity. Click “Yes” and you’ll be sent back to the original site and magically logged in—no password required."
I don't quite understand this... if there is no password, what is to prevent another person from using your OpenID? - georgehotelling, on 10/12/2007, -0/+3Check out phpMyID - http://siege.org/projects/phpMyID/
Despite having "My" in the name, it doesn't need a database. It's just a single PHP file that you upload, configure, and add the HTML to your homepage. - cowpowered, on 10/12/2007, -0/+3Livejournal and Technorati are the two biggest websites accepting OpenID logins. It's not an industry standard yet, but it's getting there.
- zaren, on 10/12/2007, -0/+2Hm, this sounds interesting. I might have to look into this some more and see if I can make any use of it.
- nofxjunkee, on 10/12/2007, -0/+2did you really not see that one coming? ;-) good luck getting things back up! (no sarcasm)
- kveton, on 10/12/2007, -0/+2If the site is down, then yes, you won't have your identity. In the case of simonwillison.net, he has the two link tags in the "Dugg" page you see there pointing at idproxy.net. So in this specific case, he can still use his identity.
- yahoofrom, on 10/12/2007, -0/+2I hope major Korean websites support OpenID instead of forcing everybody to type in social registration numbers.
- EricAnderton, on 10/12/2007, -0/+2@david: It's simple. The OpenID URI is also where you *log in*, if you're not already.
So this system would use your Blog's login capability to effectively 'log in' on a different site. What keeps others from using your OpenId URI is the fact that you control your Blog's id and password as you always have. - grawity, on 10/12/2007, -0/+1myopenid.com is da best
- MilesZS, on 10/12/2007, -0/+1It seems to me that some people here who believe themselves to be extremely intelligent should maybe do some more research into OpenID before trying to pick at its 'apparent' shortcomings. If you are going to dig into the very technical aspects of OpenID (the nitty gritty, also known as, "Things The Article Purposely Does Not Mention"), maybe it would be smart to first find a spec sheet or something. Maybe you could start at http://openid.net.
I know, it's difficult to think before typing. - EricAnderton, on 10/12/2007, -1/+2(whoa, a lot can happen in 2 minutes. Sorry if this is redundant)
The idea isn't to eliminate passwords. Instead, it lets you *consolodate* all your ID-related activities into a fewer number of accounts.
Read this a few times, it usually takes a few passes to wrap your head around the concept: http://openid.net/about.bml
In short, this lets you do stuff like leave comments on a site like digg.com* by logging in through your Livejournal account. OpenID provides the protocol by which the first site (digg in this case) talks to Livejournal to confirm that you're 'albrad84'. That would give your comment a little more credibility by tying your comment back to your LJ profile, should digg flag your post as "OpenID Confirmed" or somesuch.
More to the point, it would make your profile here on digg pointless - it would just fall back to your OpenId instead, wherever that is.
(*digg doesn't support openID, but it would be nice if it did) - Burritovision, on 10/12/2007, -0/+1I am comfortable diversifying my passwords. I have no interest in grouping my intelligence in one website.
- Hamsterpotpies, on 10/12/2007, -1/+2I'm with you on that one. Creating user accounts all the time for new trends is stupid.
- cowpowered, on 10/12/2007, -0/+1So does anybody know a good tutorial for setting up your own OpenID server? I don't really like tying my ID to someone else's servers.
- neuroticus, on 10/12/2007, -0/+1I've sent a couple emails to Google requesting a they give out OpenID's with each user. This would virtually guarantee most people would get a Google account, and it would take OpenID into the mainstream.
By the way, its very easy to do this (I do it now):
1. buy you domain: firstnamelastname.com _without_ expensive webhosting ($10 a year)
2. autoforward the domain to your livejournal or vox url (ie, http://yourname.vox.com)
3. type 'firstnamelastname.com' as your OpenID...and if you decide to switch your OpenID provider, just change the forward. That way you can keep the same OpenID your entire life (and still change OpenID providers at will)! - kveton, on 10/12/2007, -0/+1Francis: excellent points.
The key goals around OpenID were to help solve pain points for users and sites alike. One username and one password for the sites you visit for users. And for sites, make it so users can quickly engage in a site (i.e. no registration screen). Yes, if someone gets your password then they do have access to all of your sites. Fighting phishing then becomes absolutely critical. I wrote about this earlier this month: http://kveton.com/blog/2006/12/04/phishing-and-openid/
Most users won't need to use the delegation feature, its not required. You can get an OpenID identity from any of the providers listed in the article and use that as your identity URL. Furthermore, I forsee sites making it easier to use delegation with the click of a button and fill out a form in the very near future. Users shouldn't need to know how to edit the HTML.
As for your questions on how the technology works, you might want to check out: http://openid.net/about.bml or even look at the specifications. These issues have been thought of and addressed. - kveton, on 10/12/2007, -0/+1Yes, but OpenID doesn't give you trust. Because of its decentralized nature someone could easily bring up an OpenID identity provider that does "bad things". Its definitely something that the OpenID community doesn't quite have an answer for yet.
- neuroticus, on 10/12/2007, -0/+1what I meant to say was,
By the way, its very easy to do this WITHOUT the code that the article shares(I do it now): - rubah, on 10/12/2007, -0/+1Thinking about it, could this possibly be a good way to set up a tagboard or a guestbook and eliminate a bunch of botspam?
- mxcl, on 10/12/2007, -0/+1I tried that one, but prefer this one:
http://verselogic.net/projects/wordpress/wordpress-openid-plugin/
That one was made my JanRain, the OpenID company thing. - NiLeS, on 10/12/2007, -1/+1From the article: http://siege.org/projects/phpMyID/
(beaten to it) - nofxjunkee, on 10/12/2007, -3/+3dyslexia: 1
azap: 0 - msiegel, on 10/12/2007, -0/+0On the other hand, by consolidating most user log-ins to a single point, two-factor authentication may become a lot more practical.
- mikeivanov, on 10/12/2007, -0/+0francisew : is a HUGE problem.
No, it's just another HUGE point for FUD speculations.
francisew : It seems that if automatic login was enabled
Then just don't enable it! Isn't that obvious?
francisew: If I lose my domain?
Then use https://pip.verisignlabs.com - davidbarrett, on 10/12/2007, -2/+1albrad, it's because he's using a URL to a page (in this case, his blog) that he, and only he, controls. Above this statement, he refers to embedding some metadata in his blog that refer back to the OpenID authentication servers. It's this referencing back to the OpenID that grants the access with no password required.
In any other circumstance, you would have to provide your OpenID and pass, I'm assuming (not fully versed in OpenID yet, still getting the taste of Passport out of my mouth). But in the mechanism he describes, he is turning his blog into the authentication key, as the title indicates.
At least that's the way I interpreted all of this. =) - davidbarrett, on 10/12/2007, -1/+0Oooooh. I just caught your point ... LOL. Good question. Doh! I'm not sure what the answer is... how is someone prevented from using your blog page as the authentication key?
Please mod my other comment down. - EbenieRosa, on 10/12/2007, -5/+3I had never heard of this before, neat!
- illegal_op, on 10/12/2007, -12/+9bugmenot firefox addon is your friend
- Azap, on 10/12/2007, -6/+2Haha i rlleay dnot thikn I ma Dyslxeci
- Azap, on 10/12/2007, -7/+3I thought this said "HOW TO turn your DOG in to an OpenID" when i clicked it, I am disappointed
- inactive, on 10/12/2007, -19/+3fag
© Digg Inc. 2009
— Content created and posted by Digg users is