I’m busy writing a blog entry over on AskDaveTaylor.com about how to apply for an OpenID account and am both highly impressed by the project goals and appalled to see that when I use my new Yahoo OpenID to verify my identity on the Livejournal site that I get this error message:
What the heck, guys? When are any of these project teams going to learn that compatibility is more important than slick new features and that one glitch like this will sour users on a technology for years to come?
This highlights a huge challenge for the evolution of software projects: improving features and compatibility while not breaking things.
Clearly, we’re still working on that issue…
I wouldn’t be so quick to jump on them – note the “more secure.” That seems like a nice way of saying the old version had a gaping security hole that couldn’t be fixed without forcing this new version. Breaking backwards compatibility could indeed have been the only possible means of fixing a serious security problem. One would hope they know very well that breaking backwards compatibility for no good reason isn’t the best idea in the world, and were mandated to do such.
Given these types of security vulnerabilities never get disclosed unless an outsider finds it first, it’s impossible to know the true driver behind this choice. I think this is a pretty safe guess though.
Ever heard of security? They did make it somewhat better although there are lots of holes remaining. Instead of throwing daggers, why don’t you jump in and contribute? Would be interesting to blog your participation as well…
Thanks for your comments, Chris & James. I realize that the change from v1 to v2 OpenID is to do with increasing security — the message from Yahoo highlights that, of course. The point is that there are customer-friendly ways to step from one version to another and customer-unfriendly ways.
OpenID is an example of the latter.
How could it be done differently? What about a message that said “Warning: OpenID v2 is more secure: do you want to proceed with an OpenID verification using this older protocol? YES / NO”
In terms of your comment, James, that “those who aren’t contributing shouldn’t comment”, well, I think that’s fine if the only users are expected to also be contributors or programmers. Otherwise, that’s also a rather customer unfriendly attitude for a service that needs widespread adoption *and positive sentiment* to be successful.