[wp-hackers] Re: GSoC 2008 Proposal: Core OpenID Support

Otto otto at ottodestruct.com
Thu Mar 20 19:38:31 GMT 2008

On Thu, Mar 20, 2008 at 12:07 PM, Ronald Heft <ron at cavemonkey50.com> wrote:
>  Should someone want to authenticate comments with OpenID, that is plugin
>  territory. With core OpenID support, a plugin would only be adding the
>  proper fields to make that happen, and that plugin would then fall into the
>  disable without a problem set of plugins.
>  How does that sound?

It sounds like you'd have to do a hell of a lot of work to separate
comments from registration.

Like it or not, it's not that simple. Mere inclusion of OpenID as a
registration would have the effect of encouraging registration-only
comments and discouraging anonymous commenting. You don't need to
allow OpenID on comments to get that effect. The masses will hear
"OpenID prevents Spam" and voila. It's not true, but there's a lot of
things that aren't true that people believe. Look at how many people
think that Disabling SSID Broadcast on a wireless access point makes
it more secure. Look at how many people will *argue with you about it*
when you tell them that they're wrong and explain why.

The commenting system is generally tightly integrated with the user
login. Most themes have something to the effect of "when the user is
already logged in, don't display the name/email/url boxes". If OpenID
was there, then it actually makes sense to check the URL box and log
the user in when there is an OpenID at that URL. Otherwise, you're
letting unauthenticated users spoof possibly authenticated ones.

No, the problem is not solved by merely not enabling OpenID for
comments. The problem is inherent in the idea itself. The idea that
the people reading the blog need to be authenticated in the first
place, that's the problem. Why should the audience be authenticated?
Even when they are providing feedback, it seems like a horrible
invasion of privacy and anonymity to me. I value anonymity, I hate to
see it reduced in such a manner by OpenID.

Now, don't get me wrong. I like OpenID itself. I think it has its
uses. I'd love to login to digg using my OpenID. I'd love to use it to
login to slashdot, or my favorite online forums, or anywhere where I
have a username and an identity that I use on a regular basis.
Anywhere where the discussion is a multi-person forum, not a more
one-way form of communication like a blog is. So, OpenID is fine for
what it does. But it really does not fit the "blog" mold, as far as I
see it.


More information about the wp-hackers mailing list