## October 20, 2005

### OpenID

I’ve been playing around with implementing OpenID here on Musings. PGP-signed Comments, which we’ve been offering for a year and a half, offer two distinct advantages.

1. They provide proof that the person who left a comment is the same person who owns the web site in the URL link.
2. They provide proof that the comment has not been altered in any way, either by the blog owner, or by some third party.

But they have two distinct disadvantages.

1. They require that the computer you’re posting from have PGP or GnuPG installed.
2. You must also have a copy of your secret keyring on hand.

This precludes posting signed comments from a public terminal, an internet café, or wherever.

OpenID offers a way to prove that you own a certain web site, without requiring any special software or a secret key installed on your computer. That’s the more interesting of the two features offered by PGP-signed comments. Since the requirements are lower, it might be something more people would actually use.

I tried Mark Paschal’s MT plugin, but really didn’t like it, either from the point of view of the code (which I had real problems with) or for the way it displays the commenter’s information. I’m not looking for a substitute for the traditional name/email/URL information; I’m looking for a supplement to it: an attestation that the URL actually belongs to the commenter.

I ended up shelving, for the moment, the idea of implementing OpenID here. The one positive outcome of the little experiment is that I have a working OpenID server (a hacked-up version of Mark Paschal’s server). If you’re an author at the String Coffee Table, you can use it to authenticate using OpenID on other blogs. Either list your SCT profile page (e.g., Robert Helling’s) as your URL, or, if you prefer, add

<link rel="openid.server" href="https://golem.ph.utexas.edu/cgi-bin/MT-3.0/plugins/openid-server/server.cgi" />
<link rel="openid.delegate" href="http://golem.ph.utexas.edu/string/archives/NNNNN.html">

(where the URL in the second line is your SCT profile page) to the <head> element of your homepage. Anytime you want to make an OpenID-authenticated comment, you just need to log into MovableType, here (and stay logged in as long as you need).

Try out the OpenID demo.

Posted by distler at October 20, 2005 11:58 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/662

### Re: OpenID

If you use it in combiation with LID lid.netmesh.org then you also get a PGP public key that lives on the server. They also have an authenticated post profile which may be what you are looking for.

Posted by: NN on October 21, 2005 6:14 PM | Permalink | Reply to this

### commenting plugin

What did you find objectionable in the commenting plugin? I’m open to suggestions. :)

Posted by: Mark Paschal on October 31, 2005 4:28 PM | Permalink | Reply to this

### Re: commenting plugin

Well, as I indicated, I haven’t quite figured out how I would like it to be implemented, so my answer is gonna be a little sketchy.

Basically, what I want is a supplement to the usual name/email/url information, rather than a replacement for it. Commenters would be required to fill in their name/email/url (or have it supplied by a cookie) as usual. They’d be presented with a button or checkbox, allowing the URL to be verified via OpenID. If they do so, their comment, when posted, will be stored along with a flag indicating that the URL had been verified using OpenID.

Since I’d like to use OpenID as a supplement to name/email/url, I’d like to store the OpenID flag as a column in the mt_comment table, rather than adding rows to the mt_author table. This would greatly simplify the logic of the plugin.

I realize this isn’t what you had in mind, but I think it is closer to the spirit of what OpenID was designed for.

Posted by: Jacques Distler on October 31, 2005 9:54 PM | Permalink | PGP Sig | Reply to this

### Re: commenting plugin

Yeah, I was trying to make OpenID work with the existing authenticated commenting system. Using the url field is an interesting idea.

Posted by: Mark Paschal on November 1, 2005 3:37 PM | Permalink | Reply to this
Read the post OpenID - Heard of it?
Weblog: Webby's World
Excerpt: I’ve added OpenID support to my site, I need to change it a little though so the log-in box disappears when you log-in. Hopefully I’ll find the code to the box like at Neil’s World or markpasc.org . Wait, I added...
Tracked: November 6, 2005 2:46 PM

### Re: OpenID

Openid is great, but can be a bit annoying because of spam…

Posted by: Nik on August 1, 2008 1:54 PM | Permalink | Reply to this

Post a New Comment