http://slashdot.org/yro/07/02/06/2152214.shtml
http://brad.livejournal.com/2287909.html
沒想到連Microsoft也要支持OpenID了,
(雖然凡是說到Microsoft要支援什麼標準都有點可怕 :P)
slashdot雖然一向以戰文+情緒性文章著稱,
但是好的評論確實也不少:
by Bogtha (906264) on Tuesday February 06, @07:50PM (#17914750)
>>> Going back to OpenID, all I need to do is supply my own authentication
>>> server, and I have corroborated my own identification.
Trust and identity are two different things. You're talking about trust. The fact that you can make up multiple identities doesn't matter unless you want somebody to trust one of them for something.
Trust is a big problem; moreso than identity. Furthermore, trust systems have identity as a requirement. And identity is useful outside of any advanced trust system. It makes sense to solve the identity problem first before moving on to complicated web of trust models.
The OpenID people are careful to distinguish between identity and trust. Trust is outside the scope of OpenID, but it's likely that any worthwhile trust system can be built on top of OpenID. You shouldn't use lack of trust as a basis to reject OpenID; in fact large-scale adoption of OpenID may well be helpful in developing a decent trust system.
PS: The one organisation that I expected to support OpenID much sooner than this is Google. Anybody have any ideas why they haven't jumped on board yet?
by CoughDropAddict (40792) on Tuesday February 06, @08:46PM (#17915308)
>>>Unfortunately, OpenID will utterly fail in it's task: it will never be a
>>>trustworthy source of identification.
You seem to be confused about the scope of OpenID. OpenID is not a system for tying user accounts to personal identities. It simply provides secure, distributed user accounts. It's not failing at it's task, it's failing at a task that you seem to want, but OpenID was never designed to solve.
===
Trust and identity are two different things.
也就是會在某一程度上將使用者"認證"(Auth)這個概念分成了"辨認" 跟 "求證".
這個觀念其實我覺得挺重要的, (至少原本我沒想的這麼清楚)
OpenID提供的功能只是對使用者帳號的識別(區分使用者) ,
而Trust這個問題本身不僅包含了辨認, 而且要複雜的多.
對於能不能相信使用者資料所提供的資料, 則不是OpenID所能要求的,
而是透過開發者其他的認證機制.
然而對於大多數不需或無法嚴格確認身份的Web Application來說,
OpenID其實就已經很足夠了.
而對於需要更複雜機制的Web AP, OpenID則也可以提供一個很好的起點跟架構支撐.
