Ma.gnolia FAIL, Or: Rendering OpenID Useless
I can’t really remember the other few sites where I’ve seen this, but Ma.gnolia’s newly added OpenID support is a good example on how not to implement OpenID.
So I go there to register an account, and sure enough, I find an OpenID form.
I click the button, allow Ma.gnolia to use my ID, and end up here:
Umm, yeah… but no. I used my OpenID so I do not have to think about new usernames. I believe that asking me to come up with an unique username completely defies the concept of OpenID. Using OpenID in this form is like having a story line in a porn movie. Sure, you can boast that your movie has a plot, but who cares? It’s still just a smutty flick.
Somehow I think that one of us two isn’t completely understanding the concept of OpenID. Is it me?
(Disclaimer: I am not discussing the overall quality of Ma.gnolia here. I don’t use it. Others do and seem to like it, so I have no opinion in that regard.)
Pownce
Yeah, I’m in. Thanks to Hendrik for the invite. I guess.
It’s strange. After two days of more or less using it I am still unable to say if it’s cool or “just too much”. Hmm.
One thought that crossed my mind when signing up: “I wish it had OpenID support.” Now, to me, that says more about OpenID than Pownce. :P
Wordpress plugin troubles: Gravatars vs. OpenID
So Robert notified me that his Gravatar didn’t show up in my comments. After some debugging I found and fixed the problem.
The Gravatars plugin works fine with the default comments, but not with the wpopenid / WP-OpenID+ plugin. Son of a Perl script!
Turns out in the gravatars2.php only checks for the known comment types: comment, comment_type trackback, comment_type pingback. Comments made using an OpenID account (on Wordpress installs with the aforementioned OpenID plugins enabled) are saved with comment_type openid. Aha!
So here’s the fix: in gravatars2.php (you know where to look for it), search for
bc. if ((’’ $comment->comment_type) || (‘comment’ $comment->comment_type)) {
and replace it with
bc. if ((’’ $comment->comment_type) || (‘comment’ $comment->comment_type) || (‘openid’ == $comment->comment_type)) {
There are two occurences. (The line breaks are usually not there, it’s all on one line.) Change, save, and that’s it.
Tip to the hat goes to Robert for pointing out the bug, and narrowing it down. Appreciated! :)
OpenID & CardSpace
Oiy. Microsoft announces interoperability between CardSpace and OpenID:
On the heels of the Windows® CardSpace™ general availability launch in Windows Vista™, Microsoft demonstrated momentum with industry partners that are working to apply this technology to help consumers realize a more confident online experience. This includes the announcement of collaboration on use of Windows CardSpace with the OpenID 2.0 specification. Through the support of the WS-Trust-based Windows CardSpace experience, consumers can take advantage of increased security against phishing attacks without adding complexity to their identity management experience.
Some clarifications and what it all means by JanRain CEO Scott Kveton [via]:
JanRain will never require users of our libraries or services to use Windows CardSpace™. We offer support for this technology as another option for users much like using our Safe SignIn and Personal Icon technologies on MyOpenID.com. We’ll also continue to support the OpenID efforts going on with Mozilla and Firefox.
(For more meat, read Scott’s blog post.)
It’s still sinking in at this point, but damn, this is big.
Penny Arcade vs. Jyte.com
Okay, so the subject is a bit misleading. The thing is, see, I made this claim about Penny Arcade over at Jyte, and it seems like nobody really agrees. Which makes me sad. Look:
Right now the score is 1 pro, 3 contra—I don’t like that. Go vote. If you have an OpenID. If not, get one (it’s free anyways), then vote.
Post It #11, OpenID Edition
idproxy.net walkthrough. OpenID as easy as 1,2,3 [via]
Jyte launched. Interesting stuff. Has profiles and everything! I still try to figure out what to do with it or even what it is, generally speaking. In the meantime, here is my profile.
Post It #9
Yahoo! meets OpenID. Simon Willison just released his new site, idproxy.net. Basically it’s a wrapper to “transform” your Yahoo! ID into an OpenID. (To put it simple.) It’s making use of Yahoo!s BBAuth system, and it quite nice. Not perfect and fully fleshed out yet, but cool already. And hey, it is secured by monsters!
Buy MS Vista. Seriously, there are so many versions, there’s something for everyone.
Spring? The snow is melting, the sun is out, and we just got back from Lehner’s where we had some excellent Kaiserschmarrn. Life is good.
Post It #6
BookmarkID? Ka-Ping Yee came up with a funny idea on how to battle phishing using browser bookmarks.
Google Earth Space Art. [via Mr. Willison] Space Invaders on Google Maps/Earth. Great. :)
Amen. Mr. Alfke, you’re absolutely right:
“[A]nyone who’ll voluntarily use ‘vi’ in the 21st century will put up with anything. [..] And that goes for ‘emacs’ too [..] I thought emacs was really cool, in 1986. That’s when it was really cool to have a DEC VT220 terminal in my dorm room with a 9600 baud connection to a VAX running BSD 4.3.”
Frag Mama! Der Michl ist im SZ-Magazin! Knüller. War ganz überrascht, als ich ihn da sah. Junge, aus Dir wird nochmal was!
Social whitelisting with OpenID, my take
When I read Simon’s proposal about social whitelisting with OpenID this morning, I was immediately intrigued by the idea. Basically, he’s suggesting that by whitelisting trusted OpenIDs, sharing these lists among peers, and using them to decide whether to place a new comment on your own blog in a moderation queue or not, a group of people could build a working, trust-based protection against comment spam(mers).
Go read. It’s good stuff. I’ll wait.
[…]
Welcome back.
Now, I was pondering this while walking home from the bus. Mainly, I was thinking how to make this approach technically feasible. I doubt anyone would be willing to manually collect all the whitelists of his peers by hand. Well, at least I wouldn’t be. So, a polling mechanism would be needed.
Let’s say you have a cronjob gizmo that polls your peers’ whitelists once a day. I think in order to end up with a working implementation that doesn’t require much work or time once built, we’d need to come up with a standardized URL scheme. This would allow for simple inclusion of new trusted sources. For example, my whitelist would be accessible under http://carlo.zottmann.org/trust/whitelist/ (example, my OpenID is carlo.zottmann.org, but the URL is not working right now). Yours would be stored at http://[OpenID]/trust/whitelist/.
Now if I decide to trust another netizen’s judgement when it comes to other people, I’d simply add her/his OpenID (for example, http://my.open.id.omg/) to my imaginary polling mechanism, which would know where to look for the whitelist—at http://[OpenID]/trust/whitelist/, in our case that’d mean http://my.open.id.omg/trust/whitelist/.
Of course this implies that you have added OpenID delegation to your blog/site. Now if you move to another ID provider, you’d simply adjust the delegation, your ID would stay the same. As would the whitelist URL. You could even place on another machine, as long as the URL remains the same—http://[OpenID]/trust/whitelist/.
Now, when you decide I’m totally out of my mind after making a few bad choices about who to include in my whitelist, you’d simply “unsubscribe” from my whitelist, and that’d be it. On the next caching run our imaginary mechanism would weed out my list of trusted OpenIDs.
Another idea would be something like feed autodiscovery, but for whitelists, although I’m not so sure about that. This would probably allow for more flexible implementation; then again I don’t find the idea of adding the line Update: Mike is absolutely right (see comments), it’s silly to mention delegation while turning down the idea of whitelist autodiscovery. I somehow still prefer the notion of having a default location.<link rel="alternate" type="text/plain" href="http://carlo.zottmann.org/trust/whitelist/"/> (example) to my header each and every time I decide to try a new Wordpress theme appealing. (Maybe I should switch to another blogging engine, but yeah… you know how it is.) A simple standardized URL would be, well, simpler. Of course that’s a personal opinion.
Well, it’s just an idea. I’m probably not the first to think about it, but as I’ve said, I promised myself I’d write about those things this year, instead of just mumbling inaudible while riding the bus home.
Opinions?
Follow-up To “teh shiny” Rant
Apparently, for whatever reason, people came here and read my mad rant about Jabber, OpenID And “teh shiny’‘. To be perfectly honest, I was somewhat surprised about that. Anyways, allow me to address some responses.
Peter Saint-Andre answered with some interesting numbers. (He is Executive Director of the XMPP Standards Foundation, Director of Standards at Jabber Inc., Chair of the XMPP Council, and managing editor of the standards process followed by the XMPP Standards Foundation.)
[T]here are 40-50 million people using Jabber technologies these days, but most of them probably don’t even know it since they think they’re using Google Talk, Live Journal Talk, Chikka, IM services from NTT or BellSouth or Gizmo or whomever, presence services like Jaiku and Twitter, etc. Or they work for FedEx or HP or Adobe or EDS or just about any Wall Street bank and those companies all use Jabber for their in-house IM service. Or they’re in the Marines or work for some other government agency that has deployed Jabber. Or they’re using something that doesn’t even look like IM because it’s in fact a network monitoring service or workflow system or whiteboarding app that just happens to use the Extensible Messaging and Presence Protocol to send around some XML in real time. Or. Well, you get the picture. Jabber/XMPP is fundamentally infrastructure, not a shiny client. Think HTTP, not Firefox.
Very good point, and very good numbers. (Seriously, I am actually, truly wow’ed.) And I apologize for me not mentioning the infrastructure part. It is part of XMPP, of course, but I was talking about wide-spread adoption of XMPP/Jabber by the average IM user. XMPP is a superior protocol in my eyes, and I was wondering why it didn’t take the public IM landscape by storm. That said, as impressive these numbers are, in my eyes corporate or governmental clients and services really count, mostly because in these cases the employer (be it a company or a country) dictate which client to use. Now if all these people would use XMPP IM clients at home as well, then that would really make a splash.
Now I was wondering why not everyone is using an IM client that uses this superior protocol, and the reason is: there is no client that does really impress the public. Now, please, don’t get me wrong: There are a lot of good Jabber clients out there that appeal to devs and geeks. Hell, I’ve used a fair share of them myself. Some of them are pretty damn cool, others not so much, and that’s okay. But now, even if you kick and scream about the awesomeness of IM client XYZ, the question remains:
“Why is Joe A. IMuser still using ICQ & Co. instead of a good, slick Jabber client?”
Think about it. We’re talking about an good selling point that is heard by the ungeeky masses.
Phil Wilson asked in the comments:
OpenID is for logging in to things. I look forward to your suggestion of a killer app for “logging in to things”. Also, your [..] comparison is fatally flawed. An IM infrastructure and protocol has a default application, an IM server and client, OpenId has, what? a login form?
I was under the impression that it was an identity management platform/protocol. But in the end, yes, that means it is for logging in to things. ;) But as I’ve said, the “killer application” for OpenID could be something quite simple. For example, being an integral part of the Wordpress standard package so every WP installation would allow OpenID authentication by default. Yes, no, maybe? Well, I don’t know…
Really, I don’t have (m)any answers. I was just going with my new years resolution to blog more about what I think about. :)
<
p>Anyways: In the end, I think Mike sums it up best>
[I]n short, the public has no imagination when it comes to protocols. The fact that Skype took off has nothing at all to do with the backend communication layer, except insofar as that layer was better at getting through firewalls than anything else on the market. People used the protocol, not because of the protocol, but because of the feature the protocol enabled. When you say that Jabber will take off as soon as it has a client with some killer features, I don’t think that actually says anything about Jabber itself: you’re simply arguing for a shinier client. If Y! implemented the killer “Smilmiis” (How’s that for a name? :) ) in Messenger, people would use it. If AOL did the same, people would use it.
Well put, thank you. (The “mi”s in “Smilmiis” stand for “Mike”, I believe.)
On a personal note: I know that I often lack the ability to pinpoint what I am pondering, or where I am going with a rant. I know that. I hope that more frequent blogging and “public pondering” will help me improve that ability.
Also, I might be totally off my rocker. That’s why I tagged it with “rant”.
