The silence is deafening. I’m curious if any pmachine officials have any thoughts on today’s scuttlebut –> Wordpress, 37Signals Join OpenID Bandwagon. User management is probably the biggest issue hanging over me as I chart my direction with EE or alternatives. LDAP and OpenID(to a lesser degree) are central to this issue.
First, I want to get single sign-on implemented within an individual company. Not sure how OpenID will apply to my customers, just yet, so it’ll be interesting to see how that plays out with 37signals in a commercial application. In the blog world, yes, OpenID would seemingly fit like a glove, but it’ll take a while before it gains traction as an identity engine for businesses.
Paul or Derek would need to chime in on any actual plans.
However, there are some valid security concerns involved with tying your membership and thus your entire EE install into a system that is run on servers not directly under your control.
I’ve not looked at the complete details of how OpenID works but I have a read a few pieces by people who have. There are some real potential issues with the way it works. And any time you relinquish site access to something you aren’t fully in control of there is potential for very real security issues regardless of how well designed it is (and there are people of the opinion that OpenID is fundamentally flawed in its design).
In addition I have used a few sites that use OpenID accounts and created one of my own to play with. I found the process very confusing from a user standpoint. It quickly becomes unclear where your account actually is. Where is my password stored? Where do I go to change it? Why do I have two logins for some sites with OpenID but only one for others?
Other than being a current buzz word, I don’t personally feel that OpenID integration has much of anything going for it. EE has an incredible track record in terms of security. I would be extremely hesitant to mess with that.
Please note again that Derek or Paul would need to chime in to give an idea of what kind of plans they might have for EE and OpenID. The above is my opinion of the state of things not EllisLab canon.
Hi Jamie and Co. I just stumbled onto this discussion and thought I’d respond to Jamie’s concerns. I can’t add too much technically and I’m glad you and the EE crew and others are considering security with EE and OpenID, but at some point there will be some cross-site OpenID-like tool to manage identities online. If that’s not OpenID then what else will it be?
To me the security über ales attitude would be like ditching wifi and all it’s possibilities because WEP was flawed. Sure there are holes, but unless you’re attracting wide-spread attention, who’s going to waste their time with your network/EE installation? There are always ways to beef up and patch up security holes too, right?
The potential for cross-site membership is exciting though. Look at how successful Ning has been. Just wait till OpenSocial gets off the ground. This feature is inevitable, so let’s figure out an implementation to make it work with EE.
EDIT: +1 on this.
Agreed - this would be really handy. To be honest, I trust OpenID’s servers as much or more than my own, just because they’re there for one thing only - to authenticate stuff. So they’re going to be pretty good at it.
@wondermonkey - I’d say even if you have widespread attention you’re going to be safe. 37signals has added openid support to almost all of their apps. If it’s good enough to run basecamp, I’d say it’s good enough for me.
@jamie poitra - I agree with one of your issues for sure. OpenID right now has a pretty steep learning curve for new users. I think the easier they can make that the wider the adoption is going to be.
To me OpenID feels like RSS. Once you get used to using it - you wish every site out there had it.
I’m not sure the WIFI analogy works for me. With WIFI there are alternative ways of preventing access that are more secure than WEP. And in fact, some work places do NOT allow wireless connections despite all its possibilities (or didn’t until the enterprise versions of WPA came around). I don’t think its necessarily wrong in many cases to err on the side of caution when important data is concerned.
And the fact that 37signals is using it does nothing for me. 😊 The 37signals guys are brilliant but I’ve seen them do things that I would never do and say things that I don’t agree with.
I imagine an OpenID solution for EE that allows you to opt out would be reasonable. But as it would need to be built into the authentication and member account portions of EE its something for EllisLab to take care of as they see fit.
I guess I’m just really hesitant to trust other people with my personal security and privacy. I don’t use gmail besides using it for testing purposes for similar reasons. It’s great and all that Google’s motto is “Do no evil” but thats my life sitting there on my email server. I’d rather it be owned and controlled by myself and people I trust.
I’d rather it be owned and controlled by myself and people I trust.
Exactly! It’s a trust issue. If you don’t trust OpenID, then you definitely won’t want to use it. Tons of people do though, and that number’s growing. I trust Google too, and Pair (my hosting provider). If I ever find any reason to not trust any of them, then I’d definitely switch my services away from them.
I agree it needs to be an opt-in solution (again, using Basecamp as an example - they default to regular ol’ user/pass model and let people opt into OpenID).
The great thing about OpenID is that if your openID provider starts getting shady or untrustworthy, you simply switch your OpenID delegate at your domain name to a new company and none of your logins have to be changed. There are plenty of delegates out there to try. I use myopenid.com personally.
Check out this link!
With Paypal having joined the OpenID board, I think it’s time to give this some serious thought!
FWIW there is an OpenID library available on (in? Damn you App Store!!!) the CodeIgniter Wiki. That might make it an easy addition come 2.0.