I agree good point.

While I agree that there needs to be less confusion and less barrier to entry for OpenID, I’m not sure using emails is the best way.

I’ve always hated email as a login device because it’s such a hassle to deal with changed or abandoned email addresses. I just don’t see an email address as a singly identifying characteristic other than it has become so in a de facto manner.

As for you solution, that’s quite good and it could really be handled transparent to the user. The problem is still educating the user to the ease and benefits of OpenID.

Whoa, totally. What if you only checked to see if the email was valid OpenIDish when the password was left blank? That would be killer.

Using URLs as a login mechanism is certainly a new concept to many users. But using a FAKE email address is way worse. Lots of people will get OpenIDs from places other than their email provider. It’s going to make the confusion total if they now have to remember both their real email address and a fake one to use as their OpenID.

I have a hard time agreeing with you given that I have a few dozen login/password combinations that I’m required to remember as opposed to having to remember just two email addresses.

Furthermore, there’s nothing stopping a service like MyOpenID from making pjhyett@myopenid.com a valid email that I can use in conjunction with their OpenID service.

The dream is that I can use my email address pjhyett@gmail.com to check my email and to login into all my favorite sites.

Email is the internet’s killer app, there’s no reason we should arbitrarily try and change that by using a URL when everyone understands the current paradigm.

The arguments against using an email as an OpenID identifier are weak at best.

I’d definitely prefer going the email route. I just don’t see OpenID as such a fantastic thing at the moment, maybe I’m not seeing the possibilities, but to a certain extent the ability to link all my online activities under a single ID is quite scary.

I’m unfamiliar with the other services, but MyOpenID lets you setup different profiles under one account, so I may log in with pjhyett@myopenid.com at 10 different sites, but I could be posting under different names at each.

• pjhyett@myopenid.com => http://pjhyett.myopenid.com * pjhyett@myopenid.com => http://myopenid.com/pjhyett —-

I dont’ agree. When my OpenID is “http://oyjc.com” ....

I prefer not using my email as a identifier your just asking some random company posing as an id consumer to Spam you an url is not an email so I wouldn’t get any Spam (if they don’t ask me for my email address which I could decide for or against)

“The dream is that I can use my email address pjhyett@gmail.com to check my email and to login into all my favorite sites.”

Google actually has an similar service that allow websites to authenticate users against their Google accounts:

http://code.google.com/apis/accounts/AuthForWebApps.html

Now if only people used it :)

What makes OpenID secure is that the client sites never get users’ passwords. By allowing OpenID users to enter passwords, we’ll be opening up the possibility for users to accidentally reveal passwords to client sites.

I sympathize, but I don’t think you’ve found the answer. Not least because I’m finishing up an app based on an off-the-shelf OpenID provider that uses URLs of the format domain.com/user/USERNAME.

I’d sooner see browsers and XHTML become OpenID aware, with a speciic form field type or attribute that could be used to trigger a system-wide or browser-level UI that lets you select a saved OpenID from a list, and a microformat that would trigger a UI to allow you to add an OpenID to a keychain.

There’s another problem I’ve run into with OpenID on the consumer side: it has an alien notion of logout. You can log out of a consumer site, but nothing pings back to the openid provider to log you out there, so hitting the authentication wall again on the consumer site will usually result in being logged in again without being prompted for a username or password.

My solution - since it’s for apps that only authenticates against my own OpenID server and not third-party ones - was to extend things a bit. I have my consumer site’s logout action (1) delete the consumer session (2) redirect to the provider logout, and (3) have the modified provider honor a redirect_to parameter and send the broser back to the consumer site, so that Logout Means Logout. Ehh.

Yeah, having the password field there is almost akin to a phishing attack no? Even if you’ve got something there to say “Don’t enter password for openID” I’m sure that many non-savy users will offer up their pass, no matter how much you train them.

JanRain has just introduced an OpenID login widget, ID Selector (www.idselector.com), that makes it easy for users to signon without knowing the full syntax of the OpenID URL, just their account name. Furthermore, on return visits to the site, a user just needs to click the “sign in” button. You can see the Selector in production at www.jyte.com. There are also reviews at http://siliconflorist.com/2008/04/21/openid-id-selector-promises-to-make-openid-less-geeky/ , http://dev.aol.com/openid-selector, http://www.webware.com/8301-1_109-9924037-2.html, and http://www.centernetworks.com/openid-launches-id-selector