There have been some headlines in the last couple of days about Orange/FT's decision to offer OpenIDs. I headed over to the OpenID Directory Blog to read about it, and was minded to leave a comment. The blog post welcomes the entry of a major telco into this market, on the basis that the OpenIDs issued by Orange will imply a knowledge of the user's name, address and payment details.
My comment was - "not necessarily". More specifically: it depends on how Orange issue those OpenIDs, and what steps they take in the enrolment process to verify the claimed identity of the applicant. For instance, if I can get an OpenID on the basis of having an Orange pay-as-you-go SIM bought for cash, then it's quite possible that Orange would not know my real name, address, billing or payment details. I don't know, not being an Orange customer, whether that is the case.
So why am I saying all this here, instead of leaving a comment over there? Well, the OpenID Directory blog offers OpenID as one of the supported authentication mechanisms if you want to leave a comment, so I thought it would be appropriate to use my Sun OpenID to log in. After all, that has worked in the last day or two at a couple of other sites.
Unfortunately it still isn't working at the ODB, and the mechanics of the failure are interesting:
- on the ODB page, I enter the URI for my Sun OpenID;
- I am correctly redirected to that page, where I authenticate successfully;
- I am redirected back to the ODB site, where the ODB login page is displayed, inviting me to enter my ID and password. It also displays a message saying "Server denied check_authentication" (i.e. something discouraging but fairly meaningless).
Two things strike me about this:
- first, obviously, it's frustrating that I can't authenticate to this site, when I know my OpenID is working elsewhere;
- second, under the wrong circumstances, the flow exhibited by the ODB website would make for a very plausible phishing attack.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Hi Robin,
I'm sorry to hear that you had problems logging in the ODB. As this is a standard Wordpress blog it would be interesting to hear if you have problems with Wordpress in general.
Anyway I took the chance to upgrade to the latest version of http://willnorris.com/projects/wpopenid and also tried http://sourceforge.net/projects/wpopenid.
I did not have any problems using http://myopenid.com and the german http://meinguter.name and a couple of other OpenIDs. Admittedly I have problems using https://certifi.ca in both cases.
As I have no experience in hacking Wordpress, I guess I'll better leave this problem to somebody else. I hope the creators of these plugins will read this and contact you to find out what the issue is with Sun OpenIDs playing not properly together with Wordpress.
Concerning your opinion about France Telecom / Orange: I guess you're right - there's not enough information out there at the moment to make sure that every OpenID issued by Orange is well verified. We will have to wait how Orange will handle this.
Posted by Thomas Huhn on September 28, 2007 at 01:12 PM GMT+00:00 #
Robin,
It doesn't surprise me that there are issues. I'm getting ready to release a new version of the OpenID plugin Thomas is using. I'd greatly appreciate it if you could try leaving a test comment on my site to see how it works.
Posted by Will Norris on October 02, 2007 at 03:59 PM GMT+00:00 #
OK - I'll give it a shot.
Posted by Robin Wilton on October 02, 2007 at 04:20 PM GMT+00:00 #
Will, I left a post, but didn't have to authenticate. Perhaps you haven't deployed the plug-in yet... if so, let me know when it's in and I'll try again.
Posted by Robin Wilton on October 02, 2007 at 04:25 PM GMT+00:00 #
Robin,
I just approved your test comments on the ODB. This time it worked, even as nothing was changed since my last comment here. Good to see that Sun OpenIDs are compatible anyway.
I guess you were only confused about the workflow the first time. I admit that it's somewhat irritating to not get any message about the approval queue when you submit a post, but this is a minor problem that should be not so hard to solve.
Posted by Thomas Huhn on October 02, 2007 at 04:43 PM GMT+00:00 #