[wp-hackers] Re: GSoC 2008 Proposal: Core OpenID Support
ron at cavemonkey50.com
Thu Mar 20 19:55:48 GMT 2008
Otto, I think you misunderstood my last comment.
I am talking about simply ignoring the way current OpenID plugins use the
URL box for authentication. My revised solution would only integrate OpenID
with the existing WordPress registration/login process. Nothing would be
done on the theme's end.
Essentially, I would be integrating OpenID how it is intended to be, for
accounts, not for comments. If someone is using an account system with
WordPress, OpenID would integrate with that. Completely ignore the comments.
Here is a scenario:
I'm on a blog that requires registration. I click the existing login link. I
enter my OpenID. WordPress logs me in. From there on, the experience is
completely identical to if I had entered a username and password. I'm using
WordPress user accounts to do everything, no trickery with OpenID.
I don't see how this would create more work. If anything, less work. I'm not
changing anything with the way WordPress comments functions. I'm just
allowing users to authenticate with OpenID instead of using a username and
password. Theme's would react the same way a regular user is logged in
because an OpenID user would be a regular user, just authenticated
I completely agree with you that registration should not be used for
comments. I am completely against comment registration. However, I fail to
see if WordPress allows OpenID logins that everyone is going to flock to
registration only comments. Maybe you'll get a few misinformed users (as
always), but the vast majority of blog administrators hate registration as
well, and won't enable it.
Regarding spam, that can easily be overcome. Add one simple line under the
option to enable OpenID: Enabling this option allows user to register and
login via OpenID (link to information). Note: This is not a spam
I would not even place the OpenID option on the comments page to prevent
confusion with spam fighting.
On Thu, Mar 20, 2008 at 3:38 PM, Otto <otto at ottodestruct.com> wrote:
> On Thu, Mar 20, 2008 at 12:07 PM, Ronald Heft <ron at cavemonkey50.com>
> > Should someone want to authenticate comments with OpenID, that is
> > territory. With core OpenID support, a plugin would only be adding the
> > proper fields to make that happen, and that plugin would then fall into
> > disable without a problem set of plugins.
> > How does that sound?
> It sounds like you'd have to do a hell of a lot of work to separate
> comments from registration.
> Like it or not, it's not that simple. Mere inclusion of OpenID as a
> registration would have the effect of encouraging registration-only
> comments and discouraging anonymous commenting. You don't need to
> allow OpenID on comments to get that effect. The masses will hear
> "OpenID prevents Spam" and voila. It's not true, but there's a lot of
> things that aren't true that people believe. Look at how many people
> think that Disabling SSID Broadcast on a wireless access point makes
> it more secure. Look at how many people will *argue with you about it*
> when you tell them that they're wrong and explain why.
> The commenting system is generally tightly integrated with the user
> login. Most themes have something to the effect of "when the user is
> already logged in, don't display the name/email/url boxes". If OpenID
> was there, then it actually makes sense to check the URL box and log
> the user in when there is an OpenID at that URL. Otherwise, you're
> letting unauthenticated users spoof possibly authenticated ones.
> No, the problem is not solved by merely not enabling OpenID for
> comments. The problem is inherent in the idea itself. The idea that
> the people reading the blog need to be authenticated in the first
> place, that's the problem. Why should the audience be authenticated?
> Even when they are providing feedback, it seems like a horrible
> invasion of privacy and anonymity to me. I value anonymity, I hate to
> see it reduced in such a manner by OpenID.
> Now, don't get me wrong. I like OpenID itself. I think it has its
> uses. I'd love to login to digg using my OpenID. I'd love to use it to
> login to slashdot, or my favorite online forums, or anywhere where I
> have a username and an identity that I use on a regular basis.
> Anywhere where the discussion is a multi-person forum, not a more
> one-way form of communication like a blog is. So, OpenID is fine for
> what it does. But it really does not fit the "blog" mold, as far as I
> see it.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
Ronald Heft, Jr.
Information Sciences and Technology
Pennsylvania State University
More information about the wp-hackers