Time to take a break?

Brad Fitzpatrick brad at danga.com
Wed Jul 13 11:04:31 PDT 2005

Now that we've updated the spec to clarify that we're not a single-sign-on
protocol (no more "Consumer should be logged in until ______"), I think
I'll be taking it a little easier on OpenID for a couple months.

I'll still be on the mailing list, answering questions when others don't
beat me to it, and I'll still be working here (at Six Apart), making sure
OpenID is well-tested and integrated in all our sites/products.

I imagine there's still some website work to do, documenting best
practices and implementation pitfalls.  PLEASE--- bug me about those.  If
you want anything on the specs.bml page, just let me know.

One best practice item wrt single-sign-on is:

   * you should not create a login session for a user as a result
     of an openid identity assertion, unless the user is prepared for it.
     the UI should reflect what will be done with the assertion.

         Login with OpenID! [      ] --> logs user in.    GOOD

         Leave a comment with OpenID: [   ] --> leaves comment,
           then user is forgotten ....  GOOD

         Leave a comment --> comment + logs in            BAD

         Leave a comment + do you want to login?         GOOD

   * if you do let somebody login with OpenID, they should understand
     the duration (browser session vs. cookie expiry), and preferrably
     side with browser session as the default

Currently LiveJournal and LifeWiki do all these things, and we hope others
do too.

- Brad

More information about the yadis mailing list