digg

Facebook Connect Join Digg About

Yahoo Takes the Plunge with OpenID

vecosys.com A clever third party developer integrates OpenID using Yahoo's API. Will the ability to use Yahoo IDs level the playing field for startups by eliminating the need for registration? Or will Yahoo squash this effort and put it on hold?

Who dugg this? Made popular Jan 29, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

24 Comments

show profanity settings
expand all
  • swillison, on 10/12/2007, -1/+24This story is about my site http://idproxy.net/ , which allows people to sign in using their Yahoo! account and create (and use) one or more OpenIDs. It's unlikely that Yahoo! are going to "squash this effort" since it is a perfectly valid usage of their existing open authentication API: http://developer.yahoo.com/auth/
  • imerlin, on 10/12/2007, -1/+11Are you stoned? How the hell is OpenID a copy of Passport.net? While both being a single-sign-on solutions Passport.net requires everyone to have a Passport with them. OpenID on the other hand is an open standard (that means anyone can implement easilly without permission) with distributed authentication.

    OpenID has the potential of allowing people to have a single OpenID for all of their online web users. No need to create a Digg account if you already have a webpage that can confirm that you are who you say you are.

    It's a good idea that doesn't force you to stay with _one_ provider all your life.
  • cbeach, on 10/12/2007, -0/+6Misleadingly titled - Yahoo has not made ANY official move on OpenID. Reported as inaccurate.
  • beers, on 10/12/2007, -0/+5i like this b/c it means i don't need a gazillion user names and passwords. many times i simply will not even bother with the registration process.

    :)
  • krinthekuz, on 09/16/2008, -2/+7as i thought about how cool openID is, i also thought about how dumb it is. a visitor cannot tell if a site is legitimately using the API or just phishing unless the visitor checks the source of the page and knows what to look for. even if there is some javascript emblem like verisign uses, phishers would just fake that too.

    therefore, this would have to be built into the browser as an extension/plugin that automatically checks the form and gives output in the status bar where websites cannot manipulate the output.
  • realsurreal2, on 10/12/2007, -2/+6Except the login happens on Yahoo's servers over HTTPS. True not everyone will bother to check for this but then they'd have the same problem with every other phishing site on the net.
  • uid1337, on 10/12/2007, -0/+4No, facebook doesn't use OpenID. Livejournal does, however.
  • inactive, on 10/12/2007, -0/+3This type of effort is the future of Web 2.0. Linking together online identities with various APIs is going to be how people build an online presence.
  • honds, on 10/12/2007, -0/+3@djlosch

    A few points, if I may play devils advocate.
    1) You never enter your open id password into a site. You are taken to the OpenId service provider to enter your password. So one site phishing for OpenIds will at worst have a bunch of user names but no passwords.
    2) Now what if they spoof a service provider's site? Well then there is a problem. But that is a problem with any system. OpenId didn't create the problem.
    3) Back to point one. A good OpenId provider will prompt the user if they want to send their information to a site they have not signed into before. So what if they try to sign into a phishing site? "Oh, wait a second. It's asking if I want to trust this site. But I already trusted this site! Something is phishy!"... if anything it would seem to help against phishing.

    In any case, as I said, I think healthy debate is a good thing so I figured I'd be an advocate briefly for OpenId. Although, in interest of full disclosure, I have used it on some of my sites.
  • richstyles, on 10/12/2007, -2/+4sorry about that, I got all giddy in my rush to submit.

    Excellent work!
  • Atomic1fire, on 10/12/2007, -0/+1the title isnt accurate
    someone from yahoo only acknowledges that its cool
  • swillison, on 10/12/2007, -1/+2"Yeah, that and you work for them ;-)" - not any more, I left a few weeks ago.
  • Atomic1fire, on 10/12/2007, -0/+1IF your talking about wanting to use yahoo logins
    there are several methods availible
    such as using the api on your web2.0 site
    or if you run wordpress or drupal you can use plugins to do it
  • Atomic1fire, on 10/12/2007, -0/+1Dear Mr Genius

    you must not be able to read, because had you been able to you would have seen that not only is that an official yahoo login page that there is proof in the fact that the top even says login.yahoo.com
    All that page is doing is logining you in through the api so you are still loging into yahoo but you are using another service
    and even then you still need to give that service permission
    Try logging into a openid site with an livejournal account you still need to give that site permission
  • vramdal, on 10/12/2007, -1/+2You! forgot! the! exclamation! mark!
  • striker1211, on 10/12/2007, -4/+4Half the people cant be bothered to read their ***** email before signing in, now if i put up a website with an ID and pw box like yahoos, and put "Login using your Yahoo ID, see this page for details", then link to the openid page... they will be like oh thats good and boom i got their pw.
  • thuhn, on 10/12/2007, -0/+0We all know that the number of OpenID enabled sites is still pretty limited. To support the growth of the community, we´ve been putting a lot of effort in gathering all available links in http://openiddirectory.com . Please check the available sites and submit any more you can find!
  • thinkdrastic, on 10/12/2007, -2/+2@swillison
    Yeah, that and you work for them ;-)
  • funkytaco, on 10/12/2007, -1/+1Thanks, swillison. Any source code? I'd like to use this on http://www.AvidBeauty.com
  • CrossedBearings, on 10/12/2007, -0/+0You obviously have no idea how OpenID works. Read the spec.

    The spec specifies that the check_setup message requires an HMAC (an implementation of a message authentication code, for those not up with basic crypto identities) to be included in a browser redirect between the requesting site ('Consumer') and the identity provider (IdP, in this case Yahoo). The HMAC requires a symmetric key known only to the legitimate requesting site ('Consumer') and the identity provider - so it doesn't make it possible for a site to phish unless they have compromised the symmetric key used in the MAC codes between the two.

    Classic case of RTFM. Dug down.
  • 360modena, on 10/12/2007, -4/+2Much like a patent was designed to be a "non obvious" creation, its hard to think any multi-site log in is a "copy" of .NET. What about eBay and PayPal? Wouldn't any company that controls a few sites want to share databases?
  • growlzor, on 10/12/2007, -3/+1Doesn't Facebook do something like this also?
  • pholower, on 10/12/2007, -9/+1You, sir, are a douche bag
  • inactive, on 10/12/2007, -20/+5WTF, this is a blatant copy of Microsoft's .NET Passport idea. And then they say that MS is the "copying machine".

    Go figure..

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.