I propose ...

Provide details on how OpenID works

From my initial investigation into this service, you have several security issues.

1) How do I know when I see an OpenId box that it's actually an OpenId box and not someone who cloned one to trick me into giving away my password.

2) My name and password aren't protected by SSL so what's to stop anyone from stealing my information over the network?

3) If my information is vetted by some OpenId provider of some kind, that provider gets to see all the places I log in on the net and when. This creates a privacy issue

I can't use or recommend use of this service without knowing how these and other issues are going to be addressed. It would help if you had a detailed write-up of how OpenId works.

13 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    JeremyJeremy shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    3 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        I am Mr Pankaj devkota Restaurant and Hotel and resort manemang and staff cansaltiv pan@devkota gmail.com

      • ColablizzardColablizzard commented  ·   ·  Flag as inappropriate

        I am worried about points 1) and 2).
        Regarding the explanation that we should check the URL bar, come on people. If this would work, e-mail based phishing would be history!

      • Chris MessinaAdminChris Messina (Admin, OpenID) commented  ·   ·  Flag as inappropriate

        Thanks for your questions. Replies:

        1. When entering your OpenID into a box, you should NEVER enter your password. ONLY provide your password to your OpenID provider, and always check the URL bar to make sure that you've been correctly redirected to your OpenID provider.

        2. To prevent eaves-dropping, you should use SSL for your OpenID URL.

        3. You are correct. Your OpenID provider will know ever place that sign in to, just like your credit card provider knows about every purchase you make with your credit card. This is a feature, actually, and is why it's important to choose your OpenID provider carefully. Don't use an OpenID provider that you don't trust with this kind of information, just like you wouldn't use a credit card from a company or organization that you don't trust.

        Please note that OpenID is only a protocol and technology, not a service.

        For technical information about how OpenID works, you can read the specifications:

        http://openid.net/developers/specs/

      Feedback and Knowledge Base