|This is the talk page for discussing improvements to the OpenID article.|
|WikiProject Internet||(Rated B-class, High-importance)|
|This article is the subject of an educational assignment at University of Toronto supported by WikiProject Wikipedia and the Wikipedia Ambassador Program during the 2011 Q3 term. Further details are available on the course page.|
- 1 Facebook as OpenID provider
- 2 Delegated identity?
- 3 OpenID vs SAML
- 4 Contradicting information about single sign-on
- 5 security issues
- 6 May 2009 unsourced and aparently fake information
- 7 You lost me
- 8 As clear as mud
- 9 OpenID does not allow open login as suggested in intro
- 10 I came up with this Idea!
- 11 Update
- 12 Please remember this is an encyclopedia...
- 13 OpenID origins
- 14 I STILL don't understand what the heck this is.
- 15 Huh? (Authentication Bugs)
- 16 OAuth comparison is highly biased and uninformative
Facebook as OpenID provider
Article is incorrect as it lists Facebook as OpenID provider. Facebook is OpenID relaying party but not provider. Source: http://stackoverflow.com/questions/1827997/is-facebook-an-openid-provider. I can confirm this, tried to use my facebook page facebook.com/myusername as an OpenID URL. It didn't work. —Preceding unsigned comment added by Ilkkao (talk • contribs) 12:43, 3 May 2010 (UTC)
Microsoft is neither OpenID provider http://stackoverflow.com/questions/2424449/provider-discovery-url-in-windows-live-id The table is really misleading. —Preceding unsigned comment added by Ilkkao (talk • contribs) 18:10, 3 May 2010 (UTC)
The article mentions something called a "delegated identity" and says it will be explained below but it does not do this. Can someone please add this information? —Preceding unsigned comment added by 220.127.116.11 (talk • contribs) 08:39, 1 November 2008
OpenID vs SAML
Contradicting information about single sign-on
Single_sign-on#Common_Single_Sign-On_Configurations says that OpenID is not a single sign-on system, while the intro of the OpenID article says that it is. -Pgan002 (talk) 07:31, 19 February 2009 (UTC)
- You're right, OpenID isn't a single sign-on system because you have to log-in actively on each website you visit.
- I just removed the contradiction, I'm not sure if a small paragraph explaining why it isn't a single sign-on system would be useful. Calimo (talk) 10:43, 27 February 2009 (UTC)
- The Intro still seems to imply that it is SSO. The line " allowing a user to log in once and gain access to the resources of multiple software systems." certainly sounds like SSO. In addition I read the resource at  and I don't see any mention of logging in once and accessing multiple systems. (18.104.22.168 (talk) 15:58, 8 May 2009 (UTC))
There is no discussion in this article about the serious security issues that arise with having a single username/password combo that can log into every site on the planet. Crack my myspace account, and you can then precede to clean-out all my bank accounts. Really. Bad. Idea. —Preceding unsigned comment added by 22.214.171.124 (talk) 00:35, 30 March 2009 (UTC)
- I disagree. For someone interested in the subject, a bare introduction into information security models will be enough to understand that OpenID is, well, a bubble. For those trying to find a quick but more or less weighted opinion, the article says it all: all major corps (except Facebook as of Jul 09), are happy to be OpenID providers, but never consumers. —Preceding unsigned comment added by 126.96.36.199 (talk) 19:27, 29 July 2009 (UTC)
- Forgot to add. As I was writing the previous comment, I decided to sign up for an account. Guess what? Wikipedia, too, does not accept OpenID accounts. —Preceding unsigned comment added by 188.8.131.52 (talk) 19:38, 29 July 2009 (UTC)
- Why for God's sake would you use myspace as a OpenID provider for your bank? And also which bank would allow itself to "outsource" authentication by being OpenID consumer? I haven't heard about such a bank. —Preceding unsigned comment added by 184.108.40.206 (talk) 22:25, 28 February 2011 (UTC)
This is my open id account Myopenid It's just ripe for spam. The whole openid thing is bad news, at least my bank doesn't use it 'yet'. —Preceding unsigned comment added by 220.127.116.11 (talk) 00:40, 5 October 2010 (UTC)
Even worse, I am to understand that if I have an AOL account, without any action on my part I now automatically have an OpenID, which anyone who cracks my AOL acct can now use to sign-up on any site that uses OpenID? So I have to now go around canceling all my accts that automatically create OpenID accts? Please tell me I'm misunderstanding something here. —Preceding unsigned comment added by 18.104.22.168 (talk) 00:39, 30 March 2009 (UTC)
- No worse than the existing system by which if someone cracks your e-mail account, they can reset all your passwords. 22.214.171.124 (talk) 02:01, 23 April 2009 (UTC)
I see couple accusations not backed by any technical explanation - for instance the phishing attacks. My question is how do you defeat SSL/TLS then? And if you are redirected to a non-encrypted login page, you shouldn't give your credentials anyway. —Preceding unsigned comment added by 126.96.36.199 (talk) 22:32, 28 February 2011 (UTC)
- All the security issues above really exist. The problem is the potentially malicious relying party. No need to crack any SSL, because it _IS_ "in the middle" already. No extra "man-in-the-middle" efforts needed. You talk with _this_ malicious relying party via SSL (or https, anyway) already. — Preceding unsigned comment added by 188.8.131.52 (talk) 14:26, 25 March 2012 (UTC)
May 2009 unsourced and aparently fake information
I've just removed this from the "2009" subsection "In May Facebook launched their relying party functionality, letting users use a Google, Yahoo or OpenID to log into their Facebook account." It has no source, I've found no source for it, and www.facebook.com shows no sign of this, so until someone proves contrary, I'm considering untrue (remember source should ALWAYS be posted). HuGo_87 (talk) 19:54, 6 June 2009 (UTC)
- Perhaps this will help? http://developers.facebook.com/news.php?blog=1&story=246 ~~ [ジャム][t - c] 22:32, 6 June 2009 (UTC)
- Cool. I could find no information on the subject, so I though it might be untrue. I've still to find WHERE you login using your OpenID, since all I can find, is the same old registration form. HuGo_87 (talk) 02:09, 8 June 2009 (UTC)
You lost me
- I was coming here to say the same thing - for a wikipedia article this doesn't have a very good plain language explanation, and it launches into way way too much technical details in a very formal way. So I've added a "Simple Overview" section. Perhaps it's a bit of duplication of what's in the introduction, but the introduction has a job to do that doesn't allow it to be as simple as people need it to be. So I figure this might do the trick. Especially with the example.
- Please let me know (with a comment here) if it leaves you with any other questions. I'm a very technical person, but I've been told I've got the ability to explain complicated things in a very simple way. 184.108.40.206 (talk) 19:55, 20 February 2010 (UTC)
- I've updated the introduction in an attempt to provide a less technical overview of what the protocol is actually facilitating. I hope this will be more informative for the general reader. I also noticed that the "Simple Overview" section is no longer there - was it merged with the introduction at some point? -- Arndisj (talk) 03:29, 25 October 2011 (UTC)
As clear as mud
I have been reading up on openID for around an hour, and still haven't any real idea what it is. I presume there are three situations:
user, Website using openID to log in, website acting as openID provider .... but there might be some kind of indirect openid.
By far the worst article is the wikipedia one, which basically is a bit like reading an account of Christianity which fails to mention someone called jesus, because it is basically written by and for a bunch of Roman Catholic theologians and not for someone who hasn't the faintest clue what Christianity is.
What is openID? I think it is a way to be able to sign on to many websites using one single ID ... or perhaps not ... perhaps it is a way to autheniticate a website as being authentic, so I know a site with "OPENID" has signed up for an openID?
... and then can/would I want to, integrate this with my own PHP driven password authentication on my own websites.
OpenID does not allow open login as suggested in intro
I was heavily misled by the original intro, in that it seemed to imply that OpenID provided a means for universal login to any site. After spending quite a bit of time investigating, I have realised that openID simply provides a common standard for a website to vouch for a user. This does not remove the question of "can I trust this person", but instead replaces it with "Can I trust the website that says they trust this person" .... and remember any person can create a website vouching for users like spam597.spambotsRus.com
I came up with this Idea!
Check my credentials and lookup my filed patents with the USPTO. Or search google "dennis lyon invention" in the WIPO. —Preceding unsigned comment added by Globalstage (talk • contribs) 04:04, 3 October 2009 (UTC)
- Get real
Someone claiming to be Dennis Lyon is claiming to have invented OpenID. He cites a WIPO filing from 2006, a year after OpenID was developed, and a patent application from 2009. The last time someone removed this unsupported claim from the article, he put it back in. —Preceding unsigned comment added by Klodolph (talk • contribs) 08:24, 3 October 2009 (UTC)
- I have no reason to doubt that the editor is who he claims, as the IP is from the same area. As for the particular claims being made, the underlying concept was established in the digital identity community well before 2004. The folks from Ram Technics also falsely claimed to be the first to originate the concept, and even claimed that a patent for OpenID (which doesn't exist) was the result of a breach of trust by Microsoft (which had no involvement in OpenID until around 2007) regarding its TADAG architecture (for which there were no patents or copyrights, filed or granted). The evidence provided only shows that Lyon committed identity theft (and thus has no compunction about perpetrating a fraud), works in the identity management field (and thus has a conflict of interest regarding the subject matter), and filed patent applications after OpenID implementations were already available (and thus may run afoul of prior art). Even if verifiability, original research, and reliable sources were not an issue, the statements are simply irrelevant. As I mentioned in my edit summary, this article is specifically about the standard, not the concept. Dancter (talk) 14:51, 4 October 2009 (UTC)
This is a great discussion since we would like to have strong IP when our patent issues and any papers or concepts that are before our conception, we would like to bring to our examiners attention before we are issued a patent. Can you please cite? —Preceding unsigned comment added by Globalstage (talk • contribs) 17:12, 4 October 2009 (UTC)
- This talk page is for discussion about editing the Wikipedia article on the OpenID standard. Any discussion not related to improving the article within the bounds of Wikipedia policy is not appropriate. It's also a bit hypocritical to show a sudden concern about citing sources, yet continue to add inadequately sourced material to the article. Given that the information you're requesting would not be appropriate to mention in this article for the reason I already explained, it is irrelevant (see the talk page guidelines). Dancter (talk) 17:53, 4 October 2009 (UTC)
I have already exceeded the limitations on edit reverts under the three-revert rule, and will refrain from editing the article for a while. Mr. Lyon's edits still do not satisfy Wikipedia policies, and may constitute an attempt to inappropriately exploit Wikipedia to influence a patent prosecution and possible future litigation. Based on this, I believe that any further additions of Mr. Lyon's claims that aren't accompanied and explicitly verified by reliable independent sources should be removed immediately. Dancter (talk) 18:29, 4 October 2009 (UTC)
- Obviously your argument does not stand as no citation can be produced. We have subsequently submitted to Wiki Admin to independently verify our additions. We legitimatly cite our patent application which clearly defines OpenID and the conviction article available on the web. —Preceding unsigned comment added by Globalstage (talk • contribs) 19:25, 4 October 2009 (UTC)
- Per the verifiability policy I mentioned before, "The burden of evidence lies with the editor who adds or restores material. All quotations and any material challenged or likely to be challenged must be attributed to a reliable, published source using an inline citation. The source cited must unambiguously support the information as it is presented in the article." None of the evidence shown actually verifies the claims that you "invented," were "the first to envision and develop the concept," or were "the first to describe the processes that are involved" for OpenID. It is all original research (which I also addressed earlier) based on circumstantial evidence. You are making exceptional claims, which require exceptional sources. Dancter (talk) 21:07, 4 October 2009 (UTC)
- Patent application: filed June 22, 2005
- OpenID: publicly released May 16, 2005
- If you had read the policy on original research, you would have noticed the part that addresses the use of primary-source material: "Do not make analytic, synthetic, interpretive, explanatory, or evaluative claims about information found in a primary source." Dancter (talk) 21:39, 4 October 2009 (UTC)
Here is the patent; User authentication and secure transaction system . Naturally it says absolutely nothing about OpenID. Whether it is the same as OpenID is a matter of personal interpretation, making it an unsuitable cite on Wikipedia as Dancter explains above. If Globalstage wishes include this issue on the OpenID article a reliable source must be produced that discusses the similarities between them. Until such a cite is provided we have nothing but Globalstage's opinion that the patent describes OpenID. --Escape Orbit (Talk) 22:21, 4 October 2009 (UTC)
Here is a simple piece from the patent: "Parties may specify authentication procedures. A party may be authenticated for one or more third parties and may be authenticated in a manner without disclosing some or all of the party's personal information to the one or more third party." Sounds like OpenId however you can cite many parts of the patent that describe OpenID. This application is the reason why you do not see another application for a patent as it turns up in searchs and is cited by examiners as prior art. —Preceding unsigned comment added by Globalstage (talk • contribs) 22:33, 4 October 2009 (UTC)
- I implore you to review the policies and guidelines to which I have linked, which address the types of arguments you are making. You seem to be willfully ignorant even of the portions I have directly quoted. Dancter (talk) 22:47, 4 October 2009 (UTC)
- What you say may be true, but you still need a cite that says it for you. It is not permissible for contributing editors to provide their own interpretations of things. --Escape Orbit (Talk) 22:53, 4 October 2009 (UTC)
We would like an editor to update the history to give credit to Dennis Lyon for this technology. Our research indicates we are over 1 year prior to any version of "Yadis" of "OpenID" ever being released and 3 years and more to the inclusion of a data exchange and token additions. please see "Flash Of Genius Doctrine" which was soon overturned however a catalyst for this technology exists in the "Dennis Lyon Identity Theft Case". —Preceding unsigned comment added by Globalstage (talk • contribs) 18:08, 25 October 2009 (UTC)
- You are still arguing on original research. I don't know how to make this any clearer to you: the subject of this article is a standard, not a technology. This is why the history section begins where it does. Who was the first to develop a particular technology used in the standard is not directly relevant, nor is it particularly notable. Whatever success OpenID has achieved could arguably be attributed more to being an open standard than to the particular technology used. Until Lyon's patent manages to significantly and demonstrably impact OpenID in some way as directly established by reliable and independent secondary sources, there is no reason to mention it here. Please do not discuss the matter further unless you can somehow explain how the content complies with the Wikipedia policies mentioned previously. Per the talk page guidelines, "it is usually a misuse of a talk page to continue to argue any point that has not met policy requirements." Dancter (talk) 22:00, 31 October 2009 (UTC)
- OpenID: Is a Technology. Since when were the protocols of OpenID made standard? Please tell us what authority made this a standard? Your a wiki expert, how bout doing some home work and updating this for us. —Preceding unsigned comment added by Globalstage (talk • contribs) 01:47, 1 November 2009 (UTC)
- Stop with the indignant posturing. We have repeatedly mentioned and linked the appropriate policies, and requested that you establish how your claims comply with those policies, yet nothing you have done here indicates that you've even read them. Perhaps "standard" wasn't the best term for me to use (though I think your hair-splitting over the matter is a straw man), but the fact that you refer to protocols indicates that you have some comprehension that OpenID is an implementation. It is not the technology itself. The 802.11n article doesn't describe where MIMO came from, the Twitter article doesn't mention the prior history of microblogging, and the Wii article doesn't discuss who was the first to think of motion control interfaces for video games. Similarly, unless it substantively impacts OpenID, Lyon's patent doesn't warrant mention in this article, as I stated before. Dancter (talk) 16:02, 1 November 2009 (UTC)
- What relevance does an overturned legal doctrine have here? If you want to make a legal case as the basis for article content, then make it in court. Come back here after you've won it, or at least grabbed some headlines for it. That's the only way I see the claim receiving the sort of independent coverage that would satisfy Wikipedia policies. If such coverage emerges, then Lyon's patent can probably be mentioned in the Wikipedia article same way CSIRO's patent is in the 802.11n article and Immersion Corporation's patent is in the DualShock article. Otherwise, this no different than Adele McLean, Robert Meyers, Gary Deines, or any other individual trying to use Wikipedia to promote fringe views that haven't gained currency through established means. Dancter (talk) 16:24, 1 November 2009 (UTC)
Your responses are moot in light of this patent application. This wiki does serve to prove the technology of my patent. You can go around calling the technology whatever you want, however the simple fact remains that a patent application exists and describes it. We make no threats of lawsuits here. Innovation is what drives America. Please use your common sense and know that you cannot go around saying something is yours when its not. —Preceding unsigned comment added by Globalstage (talk • contribs) 20:07, 1 November 2009 (UTC)
- Who said anything about what belonging to whom? Where in the article? The only thing I can find is the quotation that you tried to remove, and that was a statement of philosophy, not a claim of fact. The only ones making a fuss about ownership are the ones waving a patent application around, talking about "strong IP". If you're going to continue to ignore the policies, then any further discussion on the matter is moot. Dancter (talk) 20:51, 1 November 2009 (UTC)
I don't know if anyone else is willing to work on it, but the latter half of the History section focuses a little too much on companies and adoption (while still overlooking mixi, which is huge in Japan) when there are quite a few other important aspects to cover: the Provider Authentication Policy Extension (PAPE), the Contract Exchange (TX) extension, the rise of Facebook Connect, OpenID+OAuth, initiatives such as advisory committees for the retail and content provider sectors, government adoption, etc. Dancter (talk) 22:49, 13 October 2009 (UTC)
Please remember this is an encyclopedia...
This article has some rather glowing ad-like prose, how-to examples, and talk page editorializing... what it really needs is more description of the facts, like what information the OpenID provider communicates to the site the user wishes to use and vice versa. Wnt (talk) 17:30, 1 July 2010 (UTC)
Fitztpatrick's claim to be the originator of OpenID in June 2005 is not supported by the evidence. Microsoft was introduced to a small part of a concept called TADAG (Trusted Authenticated Domains & Gateways - www.tadag.com) in June 2004. Microsoft began covert development of the OpenID concept early in 2005 before being challenged by the UK-based originator, David Gale, after a live confidential security briefing in Redmond in April 2005. The contact and discussions are documented across multiple Microsoft employees for months before and after the IPR challenge. Senior Microsoft executives have never disputed the chronology provided by TADAG's author but the company instead went on to sponsor OpenID's arm’s length development. I was the original contact point inside Microsoft Corp for discussions on the development of TADAG.220.127.116.11 (talk) 22:11, 19 April 2011 (UTC)Daniel Fell
I STILL don't understand what the heck this is.
I'm a software engineer with over 20 years experience and am annoyed that I can't make heads nor tails of this. This set of explanations just does not pin down what is what.
I was ALSO going to rail on about how this explanation was written entirely for someone who already understood the subject, but the person who started the discussion section:"Clear as Mud" said precisely that. Yes, whomever you are at 18.104.22.168, you nailed it.
- It's a sufficiently advanced technology indistinguishable from magic, that's what it is. It's a way for A to demonstrate (with some academically interesting forgery/reputation issues that are distractions) to C that he has validly logged on as A, at B, without letting C have any additional privilege aside from that information, from that source. — Preceding unsigned comment added by 22.214.171.124 (talk) 02:01, 13 December 2011 (UTC)
Huh? (Authentication Bugs)
Hit the page searching for manymoon, and landed here. Quipped text included 'vulnerable', so searched on that within the page.
"In March, 2012, a research paper  reported two generic security issues in OpenID. Both issues allow malicious to sign into victim's relying party accounts" - malicious what? - relying? Bs27975 (talk) 11:52, 25 April 2012 (UTC)
OAuth comparison is highly biased and uninformative
The section title "OpenID vs. pseudo-authentication using OAuth" shows bias by branding OAuth as "pseudo-" authentication. (OpenID, by comparison, must be "real" authentication?) The section text contains no citations. There is no definition of a "valet key" or how it differs from the "certificate" sent in OpenID. The diagram does nothing to enhance understanding, it conveys the same bias as the text, and has insufficient color contrast which makes it difficult to read. Please remove this section from the article. — Preceding unsigned comment added by 126.96.36.199 (talk) 17:25, 18 May 2012 (UTC)