Simon Willison’s Weblog

I think it is well established that HTTP Authentication needs a major kick in the ass and OpenID and OAuth may get us most of the way there. However, until I see RFC#s attached to both I’m hardly going to consider them to be complete. I propose the creation of an IETF WG on Identity and Authentication. The WG would be chartered to produce two RFCs covering each of the two areas. OpenID and OAuth could be used to seed the WG effort.

— James Snell # 18th November 2007, 12:15 am

Your telco knows who you are, where you live and even your credit card number or bank account. It’s their business to provide you physical access from a real location and identify you as a customer by sending you invoices and receiving money from you. This means that Orange OpenIDs are verified IDs of real people as a matter of principle.

— Thomas Huhn # 25th September 2007, 12:03 pm

Does the idea of redefining the role of the Internet browser appeal to you? Do the terms HTTP, RSS, Microformats, and OpenID, excite you? If so, then this just might be the opportunity for you.

— IE Team Job Ad # 18th July 2007, 7:43 am

An OpenID provider should catalogue the sites that a user logs into and automatically construct a homepage for them. That way, not only do the users have the convenience of having their favourite websites automatically bookmarked and readily available, but (with a little help from the consumers), they don’t have to log into the individual sites at all.

— Bogtha # 13th July 2007, 7:26 am

There is a problem of managing identity across the internet, so when I say Darren Waters I mean this person and all of the manifestations and representations and personas of that person. The ability to knit those together is a huge challenge and opportunity for us as an industry.

— Bradley Horowitz # 1st July 2007, 8:54 am

Despite it being a best practice, currently only a handful of OpenID Consumer sites support the association of multiple OpenID identifiers to a single “account”. This is important to create redundancy to make the loss of an identifier less catastrophic.

— Martin Atkins # 28th February 2007, 9:56 pm

OpenID is particularly appealing to OLPC, because it can be used to perpetuate passwordless access even on sites that normally require authentication [...] With an OpenID provider service running on the school server (or other trusted servers), logins to OpenID-enabled sites will simply succeed transparently, because the child’s machine has been authenticated in the background

— Ivan Krstić # 17th February 2007, 12:42 am

We don’t yet accept OpenID identities within our products as a relying party, but we’re actively working on it. That roll-out is likely to be gradual.

— John Panzer, AOL # 15th February 2007, 11:33 am

We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong.

— Scott Kveton # 24th January 2007, 3:02 pm

I can also sum things up for you even more succinctly:
—users are task oriented, driving to complete the goal the
quickest way possible
—users pay more attention to the content area than the browser chrome
—users don’t understand how easy it is to spoof a website

— Mike Beltzner # 19th January 2007, 5:33 pm