[wp-hackers] Re: GSoC 2008 Proposal: Core OpenID Support

[Otto]

No, I got what you said all the way around, and your idea. I really
did understand you the first time.

The problem with it is that if you add OpenID without adding it to
commenting as well, then it's practically useless for some large
number of the userbase. Furthermore, if you allow OpenID logins, but
then don't check those OpenID's on comments, then you could be said to
be intentionally making comments spoofable. Logged in users don't get
asked for their name/url info normally, but non-logged in users would
be able to use the exact same information.

I'm not opposed to OpenID commenting. I'm opposed to mandatory
registration for commenting. I'm opposed to *requiring* OpenID for
commenting, even. I think that OpenID in all currently implemented
forms (all the plugins) buggers that up completely.

Here's an alternative that maybe you have not considered:

1. Allow OpenID for logging in/registration. This is simply an
alternative to providing a password to login, basically. No problems
here. Note that they still must provide a username and password when
they register! You have to have such because of the next bit.

2. While you're at it, add OpenID server code. Let each user get their
own local OpenID by virtue of being a user. The profile pages can be
their url, or the author pages, or something along those lines.

3. The important bit: Allow OpenID for commenting, but allow it
without also requiring registration. That is, if somebody uses an
OpenID to comment, then allow it, but don't create a user account for
them and don't save any credentials or trust information or anything
like that. Basically, you'll have two separate options: a) Allow
OpenID comments, b) Only allow registered users to comment (this
option already exists).

Furthermore, make OpenID a *SEPARATE FIELD*. If I don't want to use my
OpenID, but do want to use my blog URL, then I should be able to do
so. Integrating the URL field with OpenID is annoying when I put in my
URL and then it detects my OpenID and I get a "do you want to trust
this site" message from my OpenID server. No, I don't want to trust
the site, and I didn't want to use OpenID either! Annoying, that is.

The best interface would likely be some kind of a javascript to let me
select either the normal 3 field thing or select the OpenID 1 field
and 2 extra steps thing. Maybe a "Use OpenID" link with the little
OpenID icon. Whatever, should be able to be themed differently of
course.

-Otto