Careful with the wording. WordPress isn't fully supporting OpenID, and this can be dangerous. They're acting as an identity provider without also acting as a service provider.
It's true that WordPress users can use their blogs as OpenIDs to login elsewhere, but users who already have OpenIDs can't use them at WordPress.
Unless service providers implement the entire spec and treat all OpenID users as first-class citizens, regardless of identity provider, then there's really no interoperability here. What's the point of an OpenID if you can't use it at other "OpenID-enabled" sites like WordPress?
Thank you for posting this. ReadWrite web is reporting that 37Signals has also joined the bandwagon:
http://www.readwriteweb.com/archives/wordpress_37signals_openid.php
I just read that article too. WordPress.com will be acting as an identity provider, similar to AOL.
Any thoughts on OpenID implementation for existing popular networks? Considering that relying sites can filter which providers they allow authentication from, I am overall positive about an increased usage of OpenID.
QUOTE: Considering that relying sites can filter which providers they allow authentication from, I am overall positive about an increased usage of OpenID.
I'm hoping that this sort of thinking will not proliferate, as it nullifies what I see as one of the big advantages of OpenID: user privacy. The core architecture of OpenID makes it possible for users or small groups of users to operate their own OpenID servers, avoiding the need to hand their personal information over to any third party to prove their (pseudonymous) identity. If it becomes standard practice to filter OpenID requests to only allow authentication from certain large providers, then OpenID becomes no better than any other single-sign-on system.
Moreover, there is no advantage to filtering authentication sources. An OpenID authentication is merely an assertion that the user is authorized to use a given universally unique identifier. The only way that the authentication source can cheat is by permitting auths that it should deny, or vice versa. Because users can choose the authentication source they use, there is no incentive for such cheating. In the case of a private person running their own OpenID server, the only attack would be for that person to attack their own account, nonsensically.
If you're unconvinced of the security of permitting anyone to serve, consider the analogy to Jabber servers: anyone can run their own, federating into the wider XMPP network, and the network maintains security because the misbehavior of one server only affects that server's users.
While I don't use OpenID myself, there are a number of users on my social network asking for its integration. It seems that many users are now beginning to *expect* Web 2.0 startups to provide support for it (just as they did for Firefox). I anticipate that, in the future, when big name startups like Digg and LiveJournal begin supporting OpenID, there will be a huge following by other sites as well. Put simply, crowds follow crowds.
I have read up on OpenID's specifications and what it aims to deliver. If it is labeled a bandwagon, I think it may be a good one to jump onto. There a few provisions one must be wary of regarding security, but for the most part I believe it is a move in a positive direction for managing web identities.
It's true that WordPress users can use their blogs as OpenIDs to login elsewhere, but users who already have OpenIDs can't use them at WordPress.
Unless service providers implement the entire spec and treat all OpenID users as first-class citizens, regardless of identity provider, then there's really no interoperability here. What's the point of an OpenID if you can't use it at other "OpenID-enabled" sites like WordPress?