[wp-hackers] Re: GSoC 2008 Proposal: Core OpenID Support

Ronald Heft ron at cavemonkey50.com
Thu Mar 20 04:30:26 GMT 2008

Yet again, I'm overwhelmed with feedback. Thanks for responding everyone.

Regarding Otto's original comment:

Faster commenting/registration: As this has been mentioned before, yes, it
is faster. A good OpenID identity server will automatically fill out the
remaining details in registration, and once granted permission for a website
to use an identity, will bypass the authorization screen altogether on
sequential logins.

Regarding the redirect taking away from the user experience, I am going to
disagree and say it adds to the experience. The OpenID delegate page should
be a normal and familiar process for anyone using OpenID. It helps bring a
consistent login / registration process to the user, and adds security since
everyone's login page should be unique to them.

Spam: Alright, I agree, that is a moot point and I retract it.

WordPress.com: If you don't want WordPress.com people or any OpenID user to
login to your site, you simply disable OpenID logins.

Alright, I admit, the greatest benefit to WordPress users is that oddball
scenario of a blog that requires registration. And yes, I agree, OpenID
should not be used to encourage registration at all - I hate registering as
much anyone. However, that's exactly my point. For those rare blogs that do
require registration, OpenID is a HUGE benefit to the WordPress user.

I have found amazing blogs posts that deserve feedback yet require
registration. If you're looking for a specific example, Glenn Wolsey used
to. I have run into other websites, but can't think of them at the moment.
Anyway, in nearly all of those cases, I have skipped over commenting. I
simply do not trust a blog of anyone else with my password.

Yes, we could get into the low security, one time password scenario, but to
me, that's out of the question. I'm not going to remember a one time use
password. And if we want to address the security of WordPress, yes, I trust
the current version of WordPress, but we all know, exploits are always out
there, and not everyone updates WordPress. I have already run into a case
where a well trusted website run by a friend had their database compromised,
and changing passwords sucks. I do not want to go through that again.

Anyway, back on topic, yes, it's a small amount of blogs, but for those
blogs, the benefits of logging in via OpenID is completely worth it to me,
even if that only happens once out of every 10,000 blogs.

As Charles said, identity management is a huge problem for people. If
WordPress could become more convenient in this area, why not? As I've
already mentioned, having just a plugin does not do a whole lot in this
area. Most sites will not have an OpenID plugin installed, so logging in via
OpenID barely occurs, simply because it's not widely supported as an option.
Give people that option and it may become more widely supported.

I also agree with the fact that WordPress' should not be trying to promote
OpenID. I do not want to force OpenID on anyone; I simply want to provide it
as an option. Should I take on this project, I plan to make OpenID support
completely optional. In fact, I'm down for having it disabled by default. I
would certainly love to have it enabled, but if that's what it takes, that's
what it takes.

In addition, I do not really plan to make OpenID an in your face kind of
experience. Besides the options, nothing would have to be done on the visual
side of WordPress. Sure, it would be nice on the login forms to let people
know OpenID is an option, but that can be completely skipped if the general
opinion is avoid promoting OpenID in anyway. The core users of OpenID would
eventually come to know that most WordPress blogs support it, and that would
be fine.

I guess, what I'm curious to know is what disadvantages would core OpenID
support bring? If there are options to completely disable it, how would
someone be affected? The performance impact of OpenID support would be low,
only requiring extra code run on login/logout, the visual branding of OpenID
could be skipped, so no affects there. Is is just people do not like the
standard and do not want to see it more widespread? As I've mention, I only
plan to offer this as an option. I don't want to force OpenID down anyone's

And Otto, I'm going to have to disagree that OpenID is not something
WordPress users want or use. Just look at the forums. There are requests
left and right for OpenID. The Idea's list is littered with multiple topics
requesting OpenID. Nearly all of these comments say an OpenID plugin is
good, but what we really need is core OpenID support.

By the way, if anyone has any questions about OpenID or feels it's not
secure / properly thought out, listen to Security Now Episode 95. It really
explains the technology wonderfully: http://www.grc.com/sn/SN-095.htm

On Wed, Mar 19, 2008 at 10:33 PM, Lloyd Budd <lloydomattic at gmail.com> wrote:

> On Wed, Mar 19, 2008 at 3:41 PM, sunburntkamel <sunburntkamel at gmail.com>
> wrote:
> >
> >  If there was greater openID support, it might put pressure for their
> >  to be more identity providers, and for existing providers to improve
> >  their services.  (I've disabled the plugin because of the number of
> >  people complaining that their wordpress.com identities don't work)
> You want more identity providers?!
> Did you report the problems with WordPress.com? If you can forward me
> any recent tickets, I can look into them. I've worked with engtech a
> few times investigating the problems he has encounted.
> Thank you,
> --
> Lloyd Budd | Digital Entomologist | | Skype:foolswisdom
> WordPress.com | WordPress.org | Automattic.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Ronald Heft, Jr.
Information Sciences and Technology
Pennsylvania State University

9rules Network

More information about the wp-hackers mailing list