Everyone including the corner store could become an OpenID *provider* and it still wouldn't make any bloody difference.

• Twitter / Tim Bray

I think it is well established that HTTP Authentication needs a major kick in the ass and OpenID and OAuth may get us most of the way there. However, until I see RFC#’s attached to both I’m hardly going to consider them to be complete. I propose the creation of an IETF WG on Identity and Authentication. The WG would be chartered to produce two RFC’s covering each of the two areas. OpenID and OAuth could be used to seed the WG effort.

• snellspace.com » Blog Archive » Identity and Authentication

If your web application hosts any valuable information at all, it’s prudent to expect that some significant proportion of your users will eventually have their accounts hijacked.

• Designing for a security breach

After reading Simon Willison's post about setting an OpenID, and watching his screencast, I went ahead and set one up. The most attractive thing to me is a unique URI that I can use to log in to a variety of different sites (okay, there isn't much variety yet), without setting up different accounts on all of them. Tim Bray has written a post on his concerns about OpenID, in which he looks at it from the other side, what does an OpenID mean to a site where someone is logging in (among other things). The comments are illuminating. OpenID is not about proving who you are, though that may be built on top at some stage. I'd be very happy to leave comments on Tim's site after logging in with my OpenID, and I don't really care what the OpenID says about me to Tim.