Clickpass: solution or problem?

Tuesday

Mar112008

Tuesday, March 11, 2008 at 08:44PM

Clickpass want to make OpenID easier for the end-user and that’s commendable. One click to log in is good if it’s done right.

Unfortunately, relying parties have to go through a lot of extra work logging people in and merging existing user accounts.

OpenID is already quite difficult to enable as it is, and now relying parties have to implement several new API calls.

Neither of these APIs seem to have been openly discussed and it’s not clear how they were designed. Is there a public security analysis? Why are high-value parameters such as “I agree to the terms of service” sent in the clear and unsigned?

Clickpass is a promising idea, but my advice to an RP would be to hold off implementing it until the protocol has had some time in the open.

Hans |

1 Comment |

openid

Reader Comments (1)

Hans,

I agree. Look at this diagram:

http://www.clickpass.com/docs/howclickpassworks

The top "RAW OpenID" diagram looks simpler than the Clickpass diagram at the bottom.

I signed up as a Clickpass user and then tried some of the Clickpass sites. However, I still have to log in to Clickpass in order to use the Clickpass buttons on the site - so what is the benefit to Clickpass?

I intend to incorporate OpenID in a new project I am working on, but Clickpass seems like a waste of time to implement.

In fact, Clickpass is just another OpenID provider!

-Nick

March 17, 2008 |

Nick J. Fessel

Post a New Comment

Enter your information below to add a new comment.

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.