azurelunatic: panic button.  (panic)
Azure Jane Lunatic (Azz) 🌺 ([personal profile] azurelunatic) wrote in [community profile] lj_refugees2010-10-14 03:54 am

OpenID: what am I not getting about this?

At various points in some of the discussions in here, I've seen some comments about OpenID that have frankly baffled me quite a bit. So I was hoping to solicit commentary and maybe I can wrap my head around this position too, even though I may not ultimately agree with it. I just want to understand where it's coming from.

More than one person has said in various parts of various discussions that Dreamwidth lets OpenID accounts do too much. I'm familiar with most of what OpenID accounts can do on both LJ and DW. I'm curious about which capabilities are too much, whether you think they also have that capability on LJ (a lot of DW's handling of OpenID is inherited from LJ), and why OpenID accounts having that capability worries you. (I'm hoping for specific reasons, but even nebulous concepts are interesting).

I know that LJ's been a bit of a "walled garden" over the years, with the ability to lock down commenting and lock down viewing, far more than most of the other blogging sites except LJ clones. I'm guessing that some of the sudden panic is related to the Facebook & Twitter integration. Facebook used to be very restricted, and now it's a privacy horror hotspot. Twitter is either wide open or totally shut, depending on your settings. Until LJ implemented Facebook Connect and Twitter OAuth, those users weren't able to sign into the site with their remote accounts, since neither Facebook Connect nor OAuth are quite compatible with OpenID yet.

There's also a related discussion about specific OpenID providers over in [site community profile] dw_suggestions, which in part came out of discussions in here:

This isn't any sort of official survey, but if it gets interesting I wouldn't be surprised to see devs and so forth drop by.
thejeopardymaze: (Default)

[personal profile] thejeopardymaze 2010-10-14 11:47 am (UTC)(link)
OpenID makes it easy for people to troll and spam, which is why it is disabled in my account. I also think it looks tacky.
kizzy: credit <user name="isapiens"> (confuzzled Hobbes)

[personal profile] kizzy 2010-10-14 12:20 pm (UTC)(link)
I'm on the fence with Open ID. On the one hand, it lets people from LJ who don't have accounts here to come over here (and yeah, for everyone on my FL there who did come over here, there are more who haven't). OTOH, as the above poster said, it can also encourage trolling/spamming BUT...if you enable the crossposting feature and have your default set to "access list only", the chances of being trolled/spammed are lessened, yes? No?

(I just woke up, so I apologize if I'm sounding convoluted)
thejeopardymaze: (Default)

[personal profile] thejeopardymaze 2010-10-15 12:47 am (UTC)(link)
If all your entries are access list only, or even access list commenting only, then unless you've got trolls or spammers amongst your access list, then your chance of getting trolled or spam is actually zero.

But not everyone wants to make a hundred percent locked entries, and might be willing to let other people off the access list comment, albeit in a screened manner.

The little OpenID spam we do get has mostly been from LJ spammers extending their tentacles over here,

All the more reason for me to avoid enabling OpenID.

Anyway, the spam problem I bet will eventually increase with time as DW gets more popular, it's the same for nearly every other social network.
travelingmonkey: Chimp w/ glasses (Default)

[personal profile] travelingmonkey 2010-10-16 02:25 pm (UTC)(link)
I agree with this comment in its entirety. I do not have, nor do I intend to have, my DW locked down. Anything that isn't especially personal, is open. And since I'm not really worried about spam right now, I have it open to all comments, but non-members see captcha & are screened. I've yet to have anyone comment who isn't a member. But as the site continues to grow more, more spam will arrive, it comes with the territory. When that time comes, I will likely be changing my settings to members, but I will not change my posting habits. I see no need to be on lockdown.
enotsola: (Default)

[personal profile] enotsola 2010-10-14 05:35 pm (UTC)(link)
Well, there is a difference "registered OpenID" people and those who haven't registeredwith their OpenID for whatever reason. I think the account level enable comments setting of everyone, registered accounts, Access List and nobody. It seems to me that there should probably be an OpenID level between everyone and registered accounts. Could that way eliminate entirely anonymous comments, but still allow unregistered users the ability to comment. One less step for LJ people to be able to start interacting here. Probably a big pain in the arse though.

[personal profile] delladea 2010-10-14 05:50 pm (UTC)(link)
If you add the OpenID's from your LJ friends list to your access list and enable comments for access list only, these people would still be able to comment on your journal. Currently, you can't have this enabled and still enable registered DW users to comment.

There is some discussion on an OpenID-specific privacy control in [site community profile] dw_suggestions.
arethinn: glowing green spiral (Default)

[personal profile] arethinn 2010-10-14 07:49 pm (UTC)(link)
If you add the OpenID's from your LJ friends list to your access list and enable comments for access list only, these people would still be able to comment on your journal.

Not an acceptable solution for precisely the reason you stated:

Currently, you can't have this enabled and still enable registered DW users to comment.

Like my husband I find it disheartening that OpenID users have to jump through hoops to not be considered "anonymous". To me the point is that the site is accepting your remote credentials and you are not anonymous. I do not wish for them to be the same as actually really registered normal DW accounts, but I think there should be another level in between there.

[personal profile] delladea 2010-10-14 08:48 pm (UTC)(link)
I didn't see the link to the same discussion in the OP before I posted my comment (maybe it wasn't there before, not sure). My apologies if that seemed unhelpful to the discussion.

And I had a comment written about why it should be implemented, but I refreshed the page and [personal profile] yvi has declared that a dev claimed the project. Back to work for me! :)
moem: A computer drawing that looks like me. (Default)

[personal profile] moem 2010-10-15 01:53 am (UTC)(link)
I find it disheartening that OpenID users have to jump through hoops to not be considered "anonymous"
I agree. It should be a lot easier than it is now in order for my LJ friends to even try commenting on my entries here. The way it is now, I'll never get them to do it.
travelingmonkey: Big Bang Theory; Sheldon "somebody touched my board." (bbt_touchedBoard)

[personal profile] travelingmonkey 2010-10-16 02:30 pm (UTC)(link)
But the thing is, anyone can go get an OpenID for anything, anything google related comes with it, etc. You can go create some random spam gmail account, connect it to blogger, never use it, but bam, "valid" OpenID account, took 30 seconds to make, and you can spam all you want. That person is completely anonymous then. Don't get me wrong, I see your point, but the fact is that OpenID isn't some secure -you must be a verified reliable person to have one- thing, and can easily be used for spamming if people wanted to use it as such, without it linking back to any known identity of theirs.
yvi: Kaylee half-smiling, looking very pretty (Default)

[personal profile] yvi 2010-10-14 08:43 pm (UTC)(link)
That level is planned and I think a developer recentl (last week?) claimed it.
ninetydegrees: Drawing: a girl's face, with a yellow and green stripe over one eye (Default)

[personal profile] ninetydegrees 2010-10-14 06:34 pm (UTC)(link)
I don't know if things on LJ are the same and I'm not sure 'registered account' include OpenID accounts (the FAQs are unclear for me) but I wish there was a distinction between anonymous, registered DW accounts and OpenID accounts, and registered DW accounts.
arethinn: glowing green spiral (Default)

[personal profile] arethinn 2010-10-14 07:50 pm (UTC)(link)
That sounds like how it is here, too. As I said in the other comment, I would wish for it to be split so that any OpenID user was its own different level, neither anon nor registered.
travelingmonkey: Chimp w/ glasses (Default)

[personal profile] travelingmonkey 2010-10-16 02:36 pm (UTC)(link)
"I know that LJ's been a bit of a "walled garden" over the years, with the ability to lock down commenting and lock down viewing, far more than most of the other blogging sites except LJ clones"
Have you not been on any other journal/diary sites before? Because every one I've ever used has had the same deal, and I've used a lot. You can pretty much always choose for people to be able to view you at all or not (and all other sites I've used, if you "lock down," people cannot see your page at all. A far better option if you're trying to keep secure, people can't see any of your info then, no profile or anything), choose whether you want commenting from friends, members, anon, or none, choose if posts are visible to friends, groups, members, totally public, etc. I've never seen a site that didn't allow for these things. I think you're confusing journaling sites with literal blogs, which are standalone with no community aspect, and which are simply either public, or utterly private.
thejeopardymaze: (Default)


[personal profile] thejeopardymaze 2010-10-17 06:40 am (UTC)(link)

If you really are a member of the antispam team, I am afraid this thread does not give me much confidence in you.
Edited 2010-10-17 06:49 (UTC)
cesy: "Cesy" - An old-fashioned quill and ink (Default)

Re: -

[personal profile] cesy 2010-10-17 07:20 am (UTC)(link)
This official page should answer your implied question.

Why doesn't it give you confidence?
thejeopardymaze: (Default)

Re: -

[personal profile] thejeopardymaze 2010-10-17 07:25 am (UTC)(link)
It says how much peoples feelings about that particular issue are taking seriously, which apparently isn't much. Not like I ever expected it to be perfect here, and I've seen other stuff in addition to it as of late that hasn't impressed me either.
travelingmonkey: Beaker "meep!"ing (meep!)

Re: -

[personal profile] travelingmonkey 2010-10-18 08:40 am (UTC)(link)
Honestly (and this is coming from someone who, at this point in time doesn't really care about it either way, but who takes her security online fairly seriously), I think that a large part of the issue, at least from where I sit, is that OpenID is, for all practical purposes, anonymous. As I said above, anyone can register a random ol' gmail address, and if that alone doesn't give you OpenID, linking it to Blogger (owned by google) does. Takes 30 seconds to do both. Even if that person doesn't use it to spam, per se, they are still a complete stranger in every sense, no account here, no profile page, no info on them of any sort, yet they can easily lurk around and comment on stuff if they chose. It's good to be able to choose if you *only* want DW people to be able to do that, not simply -anyone who has made any account on any one of the hundreds of sites that provides OpenID and feels like lingering here-, you know? This is a journaling site, where people write about their lives, and random strangers aren't exactly welcome by too many. People shouldn't have to lock down all their posts, either, to feel secure. Like I said, personally, at present, I don't care and don't *think* I would choose to keep out OpenID accounts, but why shouldn't I have that option of being more secure, if I chose it?

You seem pretty big on [mocking] this "walled" deal that you for some reason think only LJ gives, and considering this some far-fetched option that no reasonable people should want; but like I said above (to which you never responded), all journaling websites provide this. All. Not blogs, those are completely different. But every journal/diary website provides the option to "wall" yourself however much you see fit, and none of the others even allow for OpenID.

I understand that allowing it opens the site accessibility to more people, but frankly, that isn't what I want out of a journaling site, and I'm pretty sure there are plenty of others who feel likewise. I want the community of the journaling site (i.e., not the entire online world, that is what blogs are for!), and I want the ability to lock myself down as much or as little as I choose. I do not want random non-members coming around, especially if their OpenID is not attached to a real, active, blog, that I could check out and reply on if I so chose.

One girl's thoughts on the issue.
charmian: a snowy owl (Default)

Re: -

[personal profile] charmian 2010-10-18 10:27 am (UTC)(link)
With all due respect, though, isn't it equally as easy to register an LJ account as registering a gmail one? When I register an LJ account, I don't need to put anything in my profile if I don't want to, and there are no safeguards against me creating a thousand empty sock accounts on LJ. I don't see why someone with an LJ account isn't just as much of a random stranger as some openID blogger user. Both can have no information discernable about them.

Also, what are the other journaling websites that don't allow openID?
travelingmonkey: Chimp w/ glasses (Default)

Re: -

[personal profile] travelingmonkey 2010-10-18 11:10 am (UTC)(link)
That was my point though, anyone can make an OpenID on *any* of the zillions of sites out there, hence it is not a secure thing.

It's not that they "don't allow" it, it's that none of them implement it, and certainly no one requests it. I've never encountered any journaling site that had it, aside of LJ (and clones). OD, Bloop, Melo, etc, I don't remember all the other sites I've joined and checked out over the years that I didn't spend any real time at, but none of them allow options aside of "anyone," "members," and "friends" (or none, of course). Obviously I can't speak for all members, but personally, I like having those options. Someone with an OpenID isn't a member, and shouldn't be considered as such. If they really wanted to be one, it shouldn't be that difficult to make an account here, which would then allow them to comment to everyone who allowed "member" to do so.
charmian: a snowy owl (Default)

Re: -

[personal profile] charmian 2010-10-18 11:16 am (UTC)(link)
No, what I mean is that I don't see why LJ is any more secure, because anyone can become an LJ member anyway? To me, that means that LJ itself is just as insecure (DW itself might be argued to be different because of the codes). All LJ requests is a validated email, so what is the difference between that and treating a person who registers with openID and then validates their email with LJ as a member? I guess I just don't see how it creates more security.

What is OD and Melo? I can't find the websites for those...

Anyway, in the case of DW, it is somewhat harder for someone to become a member here, which is why I think they emphasize the usage of openID.
travelingmonkey: Chimp w/ glasses (Default)

Re: -

[personal profile] travelingmonkey 2010-10-18 11:27 am (UTC)(link)
Ah I get what you mean. Obviously people make sockpuppet accts there and whatnot, but for the most part, people use it, as well as the rest of the journaling sites, "honestly." All the rest of them aren't hard to sign up either, it's just a choice people make to trust members, or be exclusively FO. I think it's a lot less risky to have a general trust level of people who are members of the specific site, though, than anyone across the entire internet who has an OpenID, ya know? In the one case they're members of the site, on the other they're just random. Of course people on the site can be spammers/sockpuppets, or act like jerks, etc. But still, it's not quite the same thing.

OD is OpenDiary (apparently atm it is "offline for maintenance," so you if you're curious about it you may want to check later), Melo is Melodramatic (and apparently it is currently down for technical issues, bad day for examples! lol).
Edited (edited for html muckup) 2010-10-18 11:28 (UTC)
charmian: a snowy owl (Default)

Re: -

[personal profile] charmian 2010-10-18 11:35 am (UTC)(link)
I think what Azurelunatic is trying to get at in this post is why it's not the same thing. However, just because someone isn't socking doesn't meant that there's really any info about them either, though? LJ member/user doesn't seem to have much meaning to me, because anyone can sign up, and with the new openID/FB implementation, a person can convert their openID/FB/Twitter account into an LJ account with a click or two. So if a click or two is all that separates an openID account from an LJ account, is there really that big of a diff?

I'm not sure whether allowing commenting or not really counts as a 'trust issue.' To me, 'trust issue/security issue' would be more like if LJ/DW had a setting where you could lock content to members-only, but it doesn't.

Also, re: openID usage, openID is a relatively recent technology (originated in 2005 by Brad Fitzpatrick, the creator of LJ), and these journaling sites look like they started up way before openID even existed.
zvi: self-portrait: short, fat, black dyke in bunny slippers (Default)

Re: -

[personal profile] zvi 2010-10-18 11:54 pm (UTC)(link)
I am don't see the substantial difference between creating a Blogger account with no info and going to [site community profile] dw_codesharing and creating an empty account here. The comm's already listed on the front page.