We've talked about this idea for a long time. I hope it to be part of the next version of OpenID, SREG, or Attribute Exchange (formats for exchanging data like profile information).
This is a fair criticism and something that we want to address as we continue to make improvements to our newly relaunched website. It has a long way to go still, and this kind of feedback is very helpful in directing our attention. Thanks — and sorry to hear about your frustration.
Some replies to your questions:
> You say I have an OpenID; what is it, my Google, Yahoo or eBlogger account? All of the above? What information is in? Who gave OpenID permission to create an account for me? Who gave any of the above entities permission to share my information with OpenID?
Google, Yahoo, and Blogger accounts can be used as OpenIDs.
The information that each provides to sites that you sign in to varies depending on your privacy settings with each provider. Each provider gives you a different level of control over how much data is shared when you sign in.
OpenID didn't give anyone permission — in that sense it's just a technology — and those providers chose to add it (i.e. offering OpenIDs) as a feature for their users. Your information has never been shared with "OpenID" — especially if you mean the "OpenID Foundation" — unless you signed in to the OpenID website with one of your accounts.
> If I am correct, I do not have an "OpenID" ACCOUNT, what I have is several IDs, (Google, Yahoo, and eBlogger) identified as PARTICIPANTS in the open ID effort, which allows THIER credentials (Google, et al) to be used to log into 3rd party sites. THIS IS NOT A UNIQUE OPENID IDENTITY. I am not sure this is correct and it certainly not clear from this website.
That's fair. It's understandable that OpenID can be confusing at first.
Think of an OpenID like an email address — you may have several email addresses — from personal to work to spam buckets. In the same way, you can have several OpenIDs from different providers that you may use for different purposes. Just because one of your accounts is OpenID-enabled doesn't mean you need to use it as an OpenID.
The only way to have a "unique identity" is to choose ONE of your OpenIDs and just use that one as often as you can.
> If the above is correct then my first recommendation is to separate the function (OpenID)from the OpenID account; your.name.myopeniid. Make the account something like "UniID" and leave the term OpenID strictly for the function. I think the identical terminology is very confusing as everyone is accustom to user accounts.
This is a fair criticism. The confusion may be that there "OpenID the brand and foundation", and "OpenID the technology".
It's unlikely that we'll rename these things now, but we do need to do more to distinguish them.
> The second recommendation, continuing to assume I have guessed correctly, is to emphasize that until a user creates a unique (and very useful) "UniID" that no information is known to OpenID foundation or any other affiliates until the user himself shares that information (means or necessity of doing so currently unknown to me).
This is true. Note that the OpenID Foundation NEVER receives information about you when you sign in, unless you sign in to the OpenID Foundation website.
> Third recommendation – clarify the difference between a user account, a userid, and the passwords for all OpenID participants.
> Forth recommendation - put an interactive tutorial online to walk you through the steps, the written instruction are pretty bad.
Agreed. We'd like to improve this as well.
> QUESTION: Is my actual username (from whatever OpenID account used) actually shared with the logged into site? For example if I use my Google ID (email@example.com) to log onto OpenID website: StealYourIdentity.com, does the website get the actual Google ID or just the fact it is a legitimate OpenID login?
The site that you're signing in to will get a unique identifier for you — usually a URL that no one else can use. They MAY also get a username, your email, or other information depending on how you set up your preferences.
Hope that helps!
@chris_miner: where did you try that OpenID URL? It should work — if not, perhaps the site implemented OpenID incorrectly?
Clearly Google needs to make this easier for people — it's frustrating that they've made it so confusing.
It's just like having multiple email accounts. You use whichever OpenID suits you best, or that you trust the most. It's also important that you remember which one you use most often — because it'll be used as your ID the next time you visit a site that you login to with your OpenID.
Because the OpenID Foundation is not an identity provider. Nor can we officially endorse any particular provider.
We could probable improve the language so that we're not making a false promise, I suppose...!
We've discussed removing the fees, but they're currently in place largely as a token of seriousness of one's participation. If you would like to get involved and advocate for these changes, you should join the firstname.lastname@example.org mailing list and make a motion.
Wow, you're totally right. That's a pretty big oversight. Thanks for bringing it up. I believe we had plans to provide a directory, but I don't think we ever made good on them.
For now, there is a directory maintained externally:
It's true that we should have this functionality in the site itself. Thanks for bringing it up.
Thanks for pointing this out. We do need more information about security on the site.
There's a good write up about OpenID and security here:
Is OpenID secure?
OpenID is no less (or more) secure than what you use right now. It's true that if someone gets your OpenID's username and password, they can usurp your online identity. But, that's already possible. Most websites offer a service to e-mail you your password (or a new password) if you've forgotten it, which means that if someone breaks into your e-mail account, they can do just as much as they can if they get your OpenID's username and password. They can test websites with which they think you have an account and ask for a forgotten password. Similarly, if someone gains access to your OpenID, they can scour the Internet for places they think you have accounts and log in as you... but nothing else.
Regardless of whether you use OpenID or not, you should be careful about your username and password. When you type your username and password, make sure you're actually on the website you think you are (i.e., check the address).
As for your second question... always make sure to watch the URL bar when signing in to your OpenID provider — that is, ONLY give your password to the website that you got the password FROM — never give out your password on someone else's website.
OpenID ONLY works when you're redirected back to your identity provider at least once. If someone else is asking for your OpenID password who is NOT your provider, then it's a scam.
Do you have a proposal, or are you just suggesting that OpenID.net be offered in other languages?
Thanks, we could really use some help here! What would you recommend for getting this started?
What's specifically annoying about it?
Also, read this:
Not sure why, Matthias. That's weird.
I think this is a great idea and something we've batted around. Not sure what it would take to get it done, but thanks for the request.AdminChris Messina (Admin, OpenID) supported this idea ·
Hmm, are you saying that you don't know where to use your OpenID? What were you specifically trying to do?
@chris24: the idea is exactly that — to standardize around a popup-style interaction: http://openid.net/2009/09/25/more-powerful-and-easier-to-use/
How would you suggest achieving this when there is more than one identity provider (i.e. if Facebook Connect is only ONE of MANY options?).
Yep. The problem is that the Google OpenID URL is SUPER-unfriendly (https://www.google.com/accounts/o8/id). So even though we COULD tell people to use that, virtually no one would remember it. We're hoping to get Google to change it, so we also wouldn't want to spread information that changes later...
This is the concept behind Activity Streams (http://activitystrea.ms) and Discovery. Of course, we haven't finished with the discovery portion yet, but progress is being made, and hopefully will lead to what you've described (thought probably need not be an OpenID extension, but instead default to standard feed discovery).
Great — are you interested in volunteering? ;)
Well, you're raising a criticism of Google's particular implementation of OpenID... not the spec itself, but I feel your pain.
To use Google as your OpenID, you either need to look for a big Google button or type this long URL *yuck!*: https://www.google.com/accounts/o8/id (you can also use (http://tinyurl.com/gopenid for short).
Sorry about your experience — but do let Google know that you don't like it!
I presume that Facebook, like most companies, will choose to keep such product plans/features private. But, you can of course ask them.