I’ve just installed Eran Sandler’s OpenID Delegation Plugin [1]. This means that I can now use my blog URL for OpenID authentication. I’ve also included the plugin in my WordPress repository (which among other things has the latest version of WordPress). One thing that I consider to be a bug in Eran’s plugin is the fact that it only adds the OpenID links to the main URL. This means that for example if I write a blog comment and want to refer to one of my own blog posts on the same topic (which is reasonably common – after more than two years of blogging and almost 700 posts I’ve probably written a post that is related to every topic I might want to comment on) then I can’t put the comment in the URL field. The problem here is that URLs in the body of a blog comment generally increase the spam-score (I use this term loosely to refer to a variety of anti-spam measures – I am not aware of anything like SpamAssassin being used on blog comments), and not having OpenID registration also does the same. So it seems that with the current functionality of Eran’s plugin I will potentially suffer in some way any time I want to enter a blog comment that refers to a particular post I wrote.
deb http://www.coker.com.au etch wordpress
My WordPress Debian repository is currently available with the above APT repository. While it specifies etch it works with Lenny too (my blog currently runs on Lenny). I will eventually change it to use lenny in the name.
For the OpenID server I am currently using the OpenID service provided by Yubico as part of the support for their Yubikey authentication token [2] (of which I will write more at a later date). I think that running their own OpenID server was a great idea, it doesn’t cost much to run such a service and it gives customers an immediate way of using their key. I expect that there are more than a few people who would be prepared to buy a Yubikey for the sole purpose of OpenID authentication and signing in to a blog server (which can also be via OpenID if you want to do it that way). I plan to use my Yubikey for logging in to my blog, but I still have to figure out the best way of doing it.
One thing that has been discussed periodically over the years has been the topic of using smart-cards (or some similar devices) for accessing Debian servers and securing access to GPG keys used for Debian work by developers who are traveling. Based on recent events I would hazard a guess that such discussions are happening within the Fedora project and within Red Hat right now (if I worked for Red Hat I would be advocating such things). It seems that when such an idea is adopted a logical extension is to support services that users want such as OpenID at the same time, if nothing else it will make people more prone to use such devices.
Disclaimer: Yubico gave me a free Yubikey for the purpose of review.
Update: The OpenIDEnabled.com tool to test OpenID is useful when implementing such things [3].
OpenID is nice for things like blogs or wikis, where it basically doesnt matter if you are really who you claim to be.
As soon as it gets anything more serious (think of db.debian.org, your bank account, etc.) openid is just useless. It doesn’t provide any of the features you want there, and from its design it can’t.
If you are using OpenID as a way to declare ownership of a web page, then I guess the delegation plugin could be considered buggy.
If you want an OpenID to log into other sites, then only activating it for a single URL is correct.
If you want multiple identities, then there are better solutions than tying them to individual blog posts.
Ganneff: I agree that OpenID is not suitable for db.debian.org. But there is no reason why the same back-end authentication method couldn’t be used for both db.debian.org and OpenID.
Just figured I’d note that the latest version (v3.0) of the wp-openid plugin now includes support for providing OpenIDs natively using your WordPress account, or by delegating to another OpenID provider. You don’t need a separate plugin to handle delegation any longer.