tags:

views:

447

answers:

8
+6  Q: 

OpenID Migration

I'm curious about OpenID. While I agree that the idea of unified credentials is great, I have a few reservations. What is to prevent an OpenID provider from going crazy and holding the OpenID accounts they have hostage until you pay $n? If I decide I don't like the provider I'm with this there a way to migrate to a different provider with out losing all my information at various sites?

Edit: I feel like my question is being misunderstood. It has been said that I can simple create a delegation and this is partially true. I can do this if I haven't already created an account at, for example, SO. If I decide to set up my own OpenID provider at some point, there is no way that I can see to move and keep my account information. That is the sort of think I was wondering about.

Second Edit: I see that there is a uservoice about adding this to SO. http://stackoverflow.uservoice.com/pages/general/suggestions/16685

+1  A: 

This may help: OpenID

Ian P  2008-09-17 00:06:55
A: 

What is the guarantee of these things not happening with any other site or provider? You have to trust certain organizations every once in a while. Otherwise you better bury your money in a mason jar in the backyard.

Geoffrey Chetwood  2008-09-17 00:06:59
But then I cant trust the gardener.
Unkwntech  2008-09-17 00:25:31
Or the butler in the dining room with the candle stick?
Geoffrey Chetwood  2008-09-17 00:37:27
+3  A: 

Nothing prevents the provider from holding your account to ransom. You should pick a provider that you know to be reliable. Or, if you trust nobody but yourself, you can be your own provider:

http://wiki.openid.net/Run_your_own_identity_server

Lamah  2008-09-17 00:07:28
+8  A: 

This is why you can use OpenID delegation, i.e. you set up two META tags on your personal website and then you can use that site's URL as an alias for your current OpenID provider of choice. Should it get unfriendly you just switch to another and update your tags.

Additionally you can always operate your own OpenID identity provider (if you have a server with, for example, a web server and PHP on it). I use phpMyID for this.

Update: regarding the updated question: OpenID consumers (sites where you log in using OpenID) may allow you to switch the OpenID used for sign-on at their discretion. Sourceforge, for example, does. To prevent problems it's best to use delegation right from the start. Otherwise this is a necessary limitation imposed by OpenID's design.

Jan Krüger  2008-09-17 00:08:45
I don't even have an openID with a provider, I just use phpMyID and keep my info in my control, I don't ever have to worry about a provider disapearing, or being down.
Unkwntech  2008-09-17 00:24:50
Yeah, that's being your own provider, as I suggested. I'm doing the same. I also do delegation for a friendlier-looking OpenID.
Jan Krüger  2008-09-17 00:41:33
A: 

I think you might be mixing free-market providers with governments. Latter abuse their power because you got nobody else to go to (try to get an "alternative" passport). Since the OpenID prividers have competition, you can always leave one provider and go to another.

galets  2008-09-17 00:26:02
A: 

A site that implements OpenID authentication in a good way would allow you to switch your ID to another URL or to specify a secondary ID in cases when your primary provider happens to be down.

Currently, most sites still don't have this option, and yes -- if our OpenID providers would delete our accounts one day, we'd have trouble getting to our accounts on some sites. We trust them in not denying us the service.

mislav  2008-09-17 01:11:17
+2  A: 

There's no way to stop Google from holding my gmail inbox hostage until I pay them $n. It's a trust thing, I guess.

 2008-09-17 01:13:44
You can, and you should, use a email client so you do not depend on google. The only thing he could do would be keeping your email address, and you can change it quite easily.
e-satis  2009-12-09 17:37:55
+5  A: 

It's an OpenID relying party best practice to allow multiple OpenIDs to be associated with a single account.

It's also an OpenID relying party best practice to allow people to recover their accounts without access to their old OpenID.

If Stack Overflow doesn't do these things, then this is a shortcoming of Stack Overflow, not OpenID.

Jim  2008-09-17 01:19:20

related questions

how to get login credentials by openId?
PHP Tutorial for OpenId and OAuth
OpenID login workflow?
OpenID support for Ruby on Rails application
Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
What is the benefit of using ONLY OpenID authentication on a site?
Problems with migrating Cardspace cards between computers
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
How do I enable open id on a Java Webapp?
What would it take to make OpenID mainstream?
What's the best .NET library for OpenID and ASP.NET MVC?
Useful browser plugins for openid authentication?
How do I implement an OpenID server in Rails?
How do I implement OpenID in my web application?
Why is HTML form redirection used in OpenID 2?
How do you set up an OpenID provider (server) in Ubuntu?
OpenID as a Single Sign On option??
Should my website abandon username/password authentication in favor of OpenID?
OpenID authentication in ASP.NET?
Open ID - What happens when you decide you don't like your existing provider?
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
How do I use more than one OpenID?