OpenID in India - What stops you from using OpenID?

Dear OpenID Community,

I have been working with Snorri, Founder of OpenID EU Foundation to promote OpenID in India. Haven't had much head way yet, but we are looking to collect information on why do startups not want to support OpenID. Can you help us reach all the guys by passing on the following post to them?

What stops you from using OpenID?

This is a question for all those website owners in India, who have been around for a while, and those who have started new ventures recently. Let me list down possible reasons I can think of, as if I were to own a website targeted towards Indians

1. Indian users dont know what OpenID is
2. Your traffic is reluctant to use a URL as a username, they are just more comfortable with the old traditional way of having a user name and password
3. You, the website owner, wants to build a user base. And users signing in via an OpenID aren't really users that you own (Or atleast thats what you think?)
4. You don't trust that OpenID provider is secure enough. You are responsible for any user data, and don't want the third-party provider to be involved in how secure your user data is
5. OpenID implementation is very complicated

I would somewhat agree to the first reason that all Indian users might not know what OpenID is. But some would — and after all you still have the old traditional registration form on your website for those users, right? I would disagree with point 2, because users who are aware of what OpenID is, of how much pain it saves you, wouldn't mind using it.

I would totally disagree with point 3, but that seems to be the most popular reason in my discussions with various people. A new user signing in with his or her OpenID is still a new user for you! And its even more simple for the user, removing the yet-another-registration-form barrier. I would argue that OpenID is actually a big positive when it comes to acquiring new users!

With the same argument, point 4 is also not totally valid! A user understands who to trust, and build up that trust over time. With big players like Yahoo providing OpenID, I think this barrier is gone.

And if you say OpenID implementation is complicated, you need to look around. The developers section on openid.net could be a good starting point.

Do you have more points explaining what will it take for you to implement OpenID support for your users? Do you have any more pain points? Tell us! Lets discuss and solve these barriers! I invite you all to send feedback, either via comments on this blog post, or via email to jeetu [at] openid [dot] in

Read more at http://openid.in/2008/05/18/what-stops-you-from-using-openid/


--
Regards,
Jeetu
http://www.cse.iitb.ac.in/~jeetu
http://apps.facebook.com/myorkut/

"Reality is merely an illusion, albeit a very persistent one."
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

Jeetendra Mirchandani:

This is a question for all those website owners in India, who have been around for a while, and those who have started new ventures recently. Let me list down possible reasons I can think of, as if I were to own a website targeted towards Indians

All of the above might be correct (from the point of view of the web site owners of course). Here my $0.02....

1. Indian users dont know what OpenID is

Very likely! Isn't this the reason for your foundation and mission thereof?

1. Your traffic is reluctant to use a URL as a username, they are just more comfortable with the old traditional way of having a user name and password
2. You, the website owner, wants to build a user base. And users signing in via an OpenID aren't really users that you own (Or atleast thats what you think?)

From the user perspective that's certainly not really valid. For OpenID users, when offered OpenID login on a site they are more willing to register then without. It's only the authentication which is "outsourced" not the user base itself. That's a point which needs education perhaps.

1. You don't trust that OpenID provider is secure enough. You are responsible for any user data, and don't want the third-party provider to be involved in how secure your user data is

Allow only providers you trust. It's easy as that.

1. OpenID implementation is very complicated

This is a valid point and most popular blogs, forums require some extra work to have OpenID login. Certainly for implementing your own login facility. Until the big web applications don't ship OpenID built-in (like WordPress, Phpbb forum, wikimedia) this is a hurdle.

With the same argument, point 4 is also not totally valid! A user understands who to trust, and build up that trust over time. With big players like Yahoo providing OpenID, I think this barrier is gone.

I don't view Yahoo as a secure provider, sorry.

And if you say OpenID implementation is complicated, you need to look around. The developers section on openid.net could be a good starting point.

That's a lame argument. For many implementation is impossible or very burdensome. See above...the most popular web applications need to ship OpenID built-in!



_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

>If you use one OpenID account to go to two hundred sites, the thief
>who steals your OpenID credentials gains access to any of the 200
>sites.

It's worse than this, actually. Unless the OP specifically *prevents*
it, you can go to *any* OpenID-supporting site, even one other than
one of the 200 you were previously accessing! And if they've gained
access to your credentials with the OP, they may have also gained
access to whatever authorization mechanism you were using to say
"Yes, it's okay to add another site to the list."

This goes together with privacy issues; do you *want* the OP to keep
track of sites you've logged into before, and how recently, even if
only to display to "you"? Because, keep in mind, if the RP the thief
has logged into *is* respecting your privacy, they probably *won't*
publish a list of users that have logged in with OpenID - and if the
privileges gained thereby have resulted which are not archived by
Google, you may *never* find out. On the other hand, a thief who
steals your OP credentials may be able to find out where you've been
in the past.

>2)     Privacy issue - With open ID the identity provider can track
>all your login and usage history. This in itself is a grave concern
>for internet users. XeQure architecture is different and it does not
>control the way user moves on a third party website.

Neither does OpenID - nor does OpenID track usage. It tracks login,
but what the user does on that site afterward is not transmitted to
the OP (though it may use checkid_immediate for some actions, which
*could* track *some* uses).

>3)     No Patent -Open ID is a free framework (without any patent ),
>which can be implemented by anyone (even hackers and phishers), this
>makes it very vulnerable for hackers and users tend to have limited
>trust in such applications. No wonder the user base is still very
>low for it.

Uh. What about, oh, ANY open-source software, then?

Consider: there is NO power which can prevent hackers or phishers
from implementing a "patented" technology. This is not the function
of a patent. There may be legal repercussions to such an
implementation, but why would this matter to someone who intends to
break multiple laws anyway?

Yet somehow, none of this has managed to effectively limit the trust
users have in such applications, OR render those applications more
vulnerable to hackers - indeed, open-source applications tend to be
LESS vulnerable to hackers, because the mechanisms are open to peer
review and peer repair, instead of using proprietary standards and
relying on "security through obscurity".

>It has many steps on each login and it is not a true single click sign on

This may be exaggerated a bit - many of these steps can be executed
transparently to the user, appearing to be a single invisible
process. Most of it takes place behind the scenes, just as the user's
web browser does not print out messages to them every step of the way
when connecting to other web sites;

- Host unknown: XeQure.com
- Normalizing URL: xequre.com
- Host (xequre.com) not found in DNS cache. Looking up DNS entry.
- Contacting cached DNS server at ##.###.###.##
- Entry not found, receiving IP address for next level DNS server.
- Contacting DNS server at ###.##.###.##
- Entry found, receiving IP address for xequre.com
- Connecting to ###.##.##.### (xequre.com), port 80
- Connection established! Sending GET / HTTP/1.1
- Sending Host: xequre.com
- Newline sent. Awaiting response from xequre.com
- Response received! Redirection header detected.
- Redirecting to xequre.com/main.php
- Host (xequre.com) found in DNS cache.
- Connecting to ###.##.##.### (xequre.com), port 80
- Connection established! Sending GET /home.php HTTP/1.1
- Sending Host: xequre.com
- Newline sent. Awaiting response from xequre.com
- Response received! Unknown Content-Type header: text/php
- Loading page as default Content-Type text/plain
- http-equiv=Content-Type header detected in HTML!
- Reloading page as text/html
- xequre.com response complete! Finish loading page.

I fudged a bit (xequre.com doesn't actually redirect to main.php),
but it occurs often enough to assume regular users will encounter
this behavior. Anyway, you get the idea - LOTS can happen "behind the
scenes" that a user does not need to be aware of, and OpenID does not
require any special technology; it utilizes the same Redirect
mechanism that I described above!

>5)     Multiple user account login - What if user has multiple
>accounts to say Google. He/she will still have to remember all the
>URIs to login to different accounts. Open ID falls short of a true
>SSO(Single sign on) to all user accounts.

That's a problem with Google, not with OpenID - consolidation of
different accounts (uniting them under one Identity^1) is a feature
that MAY be implemented by each RP, but only at that RP's *option*.
Technically the OpenID specs do allow you to initiate login from the
OP side, without starting to log in at the RP, so an OP could offer
(as one of its own features) a "bookmark" that would get you started
with logging in at the appropriate account for Google or wherever.
But whatever SSO you are using, if each of your different accounts
with Google has a different URI, you'd have to remember all those
URI's *anyway* - that has nothing to do with OpenID!

Though, since the complaint here *is* "URI" rather than "username",
we may benefit from a reminder that the user is not required to use a
different OpenID for each of their Google accounts ;)

^1: And this Identity needn't even be OpenID - if the site wants to
use an incrementing number to keep track of its users internally, and
allow the user to designate one account as the "super-user" account
from which the user can temporarily switch to any other account they
have on the system, the OpenID login process can easily be hooked
into this, allowing the user to log into their "super-user" account
using their regular username/password combination *or* OpenID instead.

-Shade
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

Dear Shade,

I open soon a WIKI to create a FAQ with all this
questions/arguments/benefits/marketing texts...

You're welcome!

Thanks

-Snorri

-----Message d'origine-----
De : SitG Admin [mailto:sysadmin@...]
Envoyé : jeudi 26 juin 2008 08:38
À : Snorri
Cc : general@...
Objet : Re: [OpenID] OpenID in India - What stops you from using OpenID?

>If you use one OpenID account to go to two hundred sites, the thief
>who steals your OpenID credentials gains access to any of the 200
>sites.

It's worse than this, actually. Unless the OP specifically *prevents*
it, you can go to *any* OpenID-supporting site, even one other than
one of the 200 you were previously accessing! And if they've gained
access to your credentials with the OP, they may have also gained
access to whatever authorization mechanism you were using to say
"Yes, it's okay to add another site to the list."

This goes together with privacy issues; do you *want* the OP to keep
track of sites you've logged into before, and how recently, even if
only to display to "you"? Because, keep in mind, if the RP the thief
has logged into *is* respecting your privacy, they probably *won't*
publish a list of users that have logged in with OpenID - and if the
privileges gained thereby have resulted which are not archived by
Google, you may *never* find out. On the other hand, a thief who
steals your OP credentials may be able to find out where you've been
in the past.

>2)     Privacy issue - With open ID the identity provider can track
>all your login and usage history. This in itself is a grave concern
>for internet users. XeQure architecture is different and it does not
>control the way user moves on a third party website.

Neither does OpenID - nor does OpenID track usage. It tracks login,
but what the user does on that site afterward is not transmitted to
the OP (though it may use checkid_immediate for some actions, which
*could* track *some* uses).

>3)     No Patent -Open ID is a free framework (without any patent ),
>which can be implemented by anyone (even hackers and phishers), this
>makes it very vulnerable for hackers and users tend to have limited
>trust in such applications. No wonder the user base is still very
>low for it.

Uh. What about, oh, ANY open-source software, then?

Consider: there is NO power which can prevent hackers or phishers
from implementing a "patented" technology. This is not the function
of a patent. There may be legal repercussions to such an
implementation, but why would this matter to someone who intends to
break multiple laws anyway?

Yet somehow, none of this has managed to effectively limit the trust
users have in such applications, OR render those applications more
vulnerable to hackers - indeed, open-source applications tend to be
LESS vulnerable to hackers, because the mechanisms are open to peer
review and peer repair, instead of using proprietary standards and
relying on "security through obscurity".

>It has many steps on each login and it is not a true single click sign on

This may be exaggerated a bit - many of these steps can be executed
transparently to the user, appearing to be a single invisible
process. Most of it takes place behind the scenes, just as the user's
web browser does not print out messages to them every step of the way
when connecting to other web sites;

- Host unknown: XeQure.com
- Normalizing URL: xequre.com
- Host (xequre.com) not found in DNS cache. Looking up DNS entry.
- Contacting cached DNS server at ##.###.###.##
- Entry not found, receiving IP address for next level DNS server.
- Contacting DNS server at ###.##.###.##
- Entry found, receiving IP address for xequre.com
- Connecting to ###.##.##.### (xequre.com), port 80
- Connection established! Sending GET / HTTP/1.1
- Sending Host: xequre.com
- Newline sent. Awaiting response from xequre.com
- Response received! Redirection header detected.
- Redirecting to xequre.com/main.php
- Host (xequre.com) found in DNS cache.
- Connecting to ###.##.##.### (xequre.com), port 80
- Connection established! Sending GET /home.php HTTP/1.1
- Sending Host: xequre.com
- Newline sent. Awaiting response from xequre.com
- Response received! Unknown Content-Type header: text/php
- Loading page as default Content-Type text/plain
- http-equiv=Content-Type header detected in HTML!
- Reloading page as text/html
- xequre.com response complete! Finish loading page.

I fudged a bit (xequre.com doesn't actually redirect to main.php),
but it occurs often enough to assume regular users will encounter
this behavior. Anyway, you get the idea - LOTS can happen "behind the
scenes" that a user does not need to be aware of, and OpenID does not
require any special technology; it utilizes the same Redirect
mechanism that I described above!

>5)     Multiple user account login - What if user has multiple
>accounts to say Google. He/she will still have to remember all the
>URIs to login to different accounts. Open ID falls short of a true
>SSO(Single sign on) to all user accounts.

That's a problem with Google, not with OpenID - consolidation of
different accounts (uniting them under one Identity^1) is a feature
that MAY be implemented by each RP, but only at that RP's *option*.
Technically the OpenID specs do allow you to initiate login from the
OP side, without starting to log in at the RP, so an OP could offer
(as one of its own features) a "bookmark" that would get you started
with logging in at the appropriate account for Google or wherever.
But whatever SSO you are using, if each of your different accounts
with Google has a different URI, you'd have to remember all those
URI's *anyway* - that has nothing to do with OpenID!

Though, since the complaint here *is* "URI" rather than "username",
we may benefit from a reminder that the user is not required to use a
different OpenID for each of their Google accounts ;)

^1: And this Identity needn't even be OpenID - if the site wants to
use an incrementing number to keep track of its users internally, and
allow the user to designate one account as the "super-user" account
from which the user can temporarily switch to any other account they
have on the system, the OpenID login process can easily be hooked
into this, allowing the user to log into their "super-user" account
using their regular username/password combination *or* OpenID instead.

-Shade


_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

2008/6/26 SitG Admin <sysadmin@...>:
There are pros and cons, of course. Choosing an OP is like choosing
your bank - it's about trust. And risks. You have several credit cards
with different limits to protect you from 'bad RP'-s (rogue
restaurants stealing your credit cards in mysterious places).

It is much easier to trust ONE place (OP)  with your private data and
authentication credentials than 200 websites you visit not to leak its
badly protected database which would leak your usernames and weak,
repeating passwords, which many people use all over the internet..



>>3)     No Patent -Open ID is a free framework (without any patent ),
>>which can be implemented by anyone (even hackers and phishers), this
>>makes it very vulnerable for hackers and users tend to have limited
>>trust in such applications. No wonder the user base is still very
>>low for it.

It's only a matter of time before any closed or 'patented' technology
is broken by some curious good or malicious bad guy. I don't
understand how a patented or not-free technology could catch up faster
than a open and free one? Make a test. Have a party with free beer and
10€/pint beer and see which has a bigger user base.


>>5)     Multiple user account login - What if user has multiple
>>accounts to say Google. He/she will still have to remember all the
>>URIs to login to different accounts. Open ID falls short of a true
>>SSO(Single sign on) to all user accounts.
>
> That's a problem with Google, not with OpenID -

In case Google here is the OP with what the user has multiple accounts
(URIs) with, this scenario is mitigated with OpenID 2.0 and directed
identity feature.

--
Martin Paljak
martin@...
http://martin.paljak.pri.ee
GSM:+3725156495
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

On 26-Jun-08, at 7:57 AM, Martin Paljak wrote:
Bad example. The free beer party will have any yahoo (pun intended)  
looking for free beer. The party where people pay will have people  
there because they want to be there. Your test demonstrates the value  
of paying for something. I don't think that is what you intended.

wrt. patents: there likely are numerous patents that read on the  
OpenID specs

I agree conclusion (3) is perplexing. From what I have seen, the web  
is a pretty big userbase and it is a free framework.

-- Dick

_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

2008/6/26 Dick Hardt <dick@...>:
Agreed, that was not clear enough.

What I wanted to say that "no patents -> not secure -> no users" does not apply.

Patents (in theory) are used to protect a market position or to
monetize on the "idea". Either way it is enforced when somebody
decides it is time to put the patent into use and enforcing usually
means getting $$$.

Anyway, if you had a party with free beer you'd be asking for trouble
with drunkards looking for booze. BUT if you were to make your beer
decision between two options:

If you had a party with cheap pilsner for free and some kickass
Belgian ale for 10$ I would understand if some (beer fanatic or just
elitist) people would go for the 10$ refresher. If you offered real
piss for free and good ale for 10$, 10$ might win the heart of many.
If you offered piss for free and drinkable pilsner for 10$.. well... I
would find some other party!

I'd place OpenID somewhere in the 'strange drinkable export premium' class ;)

I'd like to demonstrate, that people would go for "expensive and good"
(== "patented and secure") only if there is no other option or if they
eat up the marketing.

Martin.
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general

>I open soon a WIKI to create a FAQ with all this
>questions/arguments/benefits/marketing texts...

As long as I can log in to the wiki with my OpenID ;)

-Shade
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general