Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

horsebattery

macrumors 6502
Sep 24, 2013
313
424
Including the list of sponsors in the article without including sufficient context (just tossing in a link is a lazy solution) adds absolutely no value to the story - it's no different than clickbait in this case. The large number of ridiculous comments in this thread prove this.

This organization seems sketchy for being non profit and supported by Google, no thanks !
Oh dear. The Linux Foundation is also sponsored by Google and Facebook! Better toss that as well then, huh?
 

rudigern

macrumors member
Apr 20, 2010
75
104
Looking through the BitBucket document this is really a non-issue. It's a gap analysis based on something still in development. Good to know and I'm Apple would probably fix the issues. Maybe wait till its released before jumping to conclusions.
 

dwaite

macrumors 65816
Jun 11, 2008
1,224
1,006
Everyone who has used OpenID to sign into a website put your hands up.

Everyone who has never heard of OpenID before Apple offered an alternative they could whine about put your hands up.

OpenID Connect is used all over the place, and the Sign in with Apple feature is based on it.

However, Apple's implementation has bugs which can cause security and interoperability issues. If I write a hosted back-end for my app, I can't reuse the code I have for logging in against OpenID Connect-compliant sites like Google for Sign in with Apple, because Apple has bugs.

Apple isn't trying to differentiate by having a different protocol, they are trying to differentiate by giving users control over what info they share over that protocol.

OpenID is irrelevant and hasn’t gotten any traction. They’re whining because Apple will have wider adoption within weeks of launch than OpenID wasn’t able to achieve in years of trying.

Again, OpenID Connect is used all over the place, including by Apple. Apple is just not doing it correctly. This letter is complaining about that (and also that Apple is not mentioning the OpenID relationship)
 

mi7chy

macrumors G4
Oct 24, 2014
10,495
11,155
OpenID is not a product.
And this claim is based on what exactly? FYI, here's a list of certified OpenID providers and the implementations they use:

https://openid.net/certification/

There are actually a lot more entities using OpenID than on that list. For example, Veterans Administration uses it as a login option along with other entities of the government. It's actually better than the default login since it allows for more complex passwords.
 
  • Like
Reactions: compuguy1088

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
This organization seems sketchy for being non profit and supported by Google, no thanks !
The highest-tier OpenID membership dues paid by companies like Google are $50,000 per year. On the other hand, Apple reportedly receives $9,000,000,000 per year from Google. Better throw your iPhone away. :p
[doublepost=1561937437][/doublepost]
There are actually a lot more entities using OpenID than on that list. For example, Veterans Administration uses it as a login option along with other entities of the government.
Yes. The list only covers providers that went through the certification process.
 

ikramerica

macrumors 68000
Apr 10, 2009
1,542
1,832
They’re worries because their biggest source of income “selling customers’” info is in jeopardy.
Google, microsoft and PayPal?!!!

It’s like pharmaceutical companies becoming members of a non profit which is concerned about cheaper medicine.
Its like the nicotine industry making psas with puppets and loud noises talking about vaping statistics.
 

mistafro

macrumors regular
Aug 24, 2003
184
180
Full panic mode for sure... I would rather login with Apple over anyone of these other scumbags anyday. Not even being a fanboy, they have proven their reliability when it comes to our data.
 
  • Like
Reactions: realtuner

Speedy2

macrumors 65816
Nov 19, 2008
1,163
254
OpenID Connect is used all over the place, and the Sign in with Apple feature is based on it.

However, Apple's implementation has bugs which can cause security and interoperability issues.

You realize you're falling for their propanda by simply repeating their untrue statements.
The issues they are rattling the cage about about are minor and nowhere near the security (=privacy) disaster that it is Google, Facebook et al.
It's extremely obvious that they're trying to undermine a new competitor, that - by its very design - is working against their core business model: collecting as much private data as possible and selling it.

Don't forget we're talking about a feature that has only been announced and not released yet.
I'm very confident that Apple is more than able and willing to fix any possible serious bugs until then. They have a lot to lose in the end.
Google and Facebook on the other hand have absolutely nothing to lose, since they have zero credibility when it comes to putting user privacy and security first.
 

Rigby

macrumors 603
Aug 5, 2008
6,210
10,148
San Jose, CA
You realize you're falling for their propanda by simply repeating their untrue statements.
The issues they are rattling the cage about about are minor and nowhere near the security (=privacy) disaster that it is Google, Facebook et al.
Privacy and security aren't even remotely the same.
It's extremely obvious that they're trying to undermine a new competitor, that - by its very design - is working against their core business model: collecting as much private data as possible and selling it.
And how exactly would fixing the spec violations "undermine" Apple?
 
  • Like
Reactions: jogu and bydandie

garylapointe

macrumors 68000
Feb 19, 2006
1,883
1,244
Dearborn (Detroit), MI, USA
Nope- a consortium made up of Google, MS & paypal is just mad that Apple is looking to upset the norm again. Hopefully Apple will do the 2 things they’re typically pretty good at doing:
1: NOT following the norm, & creating a new norm, &
2: doing all of it better than it had been done previously.

My issue/concern is with MacRumors making a story out of such a non-story.
 

Brien

macrumors 68040
Aug 11, 2008
3,664
1,282
I get the risks but with the proliferation of accounts (seriously, everything needs an account nowaday) I welcome our new Apple overlords.
 

jdawgnoonan

macrumors 6502a
Apr 22, 2007
657
905
Jefferson, WI
I have seen an option to use Open ID exactly nowhere. Therefore, these guys can go to hell. I’m not interested in something involving the Facebook of search engines, sorry Google.
 

BootsWalking

macrumors 68020
Feb 1, 2014
2,267
14,181
Apple gets accused of lock-in all the time but I can (and have) exported Messages conversations and content out of the app. How is that lock-in?

Because of the WiFi support and iMessage extensions that are only supported on Apple devices.
[doublepost=1561947090][/doublepost]
Because everybody necessarily uses what’s app for communicating outside the Apple ecosystem.

Everybody except for Apple users, at least for their primary messaging app.
 

coolfactor

macrumors 604
Jul 29, 2002
6,991
9,576
Vancouver, BC
I see what's going on ... Apple took an established protocol and used it as the basis of their own sign-in protocol. OpenID comes along, says "that looks familiar", but then picks it apart in an Open Letter in order to shame Apple. They likely feel that Apple should have just used OpenID directly and paid the certification fees, rather than roll their own version.

Some of the claims they make about Apple's implementation may be valid, and the developers behind this feature will likely take these arguments under consideration.

Where OpenID has failed is claiming that Apple is somehow being irresponsible and lacking respect for users *today*. But we all know this feature does not go live to the larger public until late September, so that's plenty of time for Apple to fix any glaring issues with the protocol.

I will applaud them for standing up for what they feel is a better solution, but whenever dollar signs come into the picture, I take a step back and question what the real motivation for the complaints are.

It always annoyed me to see Microsoft create their own protocols instead of adopt open-source solutions (eg. MAPI vs IMAP anyone?), so is this Apple doing the same thing? Time will tell.
 

jtaylor673

macrumors newbie
Mar 19, 2013
25
10
Jacksonville FL
Taken from Wikipedia.
The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the "relying party").[3] An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).

I bolded the part that might cause some concern. That is, websites want more informatin than username and password. Such as, dob, sex, marital status, zip code, phone, address, etc. Perhaps Apple is not allowing such attributes to be exchanged.
 

JimmyHook

macrumors 6502a
Apr 7, 2015
940
1,772
Am I supposed to care what OpenID thinks? Do they have ANY evidence that user privacy is compromised by Apple’s implementation? No? Then they can take their terrible privacy-violating product and take a hike
 

dernhelm

macrumors 68000
May 20, 2002
1,649
137
middle earth
People need to calm down. What actually happened is that the OpenID Foundation noticed 5 VERY SPECIFIC violations of the Open ID spec in Apple's brand new service. The reason that there is security risk here is because these violations present known attack vectors, some more severe than others. But understand that there is no evidence that these violations were even intentional on Apple's part. The OIDC spec is complex and would be incredibly difficult to get 100% correct immediately out of the box. What would be a problem is if Apple didn't either patch their code to address these violations or present some sort of compelling argument about how known attack vectors to these violations wouldn't affect their service. Simply not meeting the spec the first time it is tested against does not signal some sort of conspiracy.
 

Alan Wynn

macrumors 68020
Sep 13, 2017
2,371
2,398
People need to calm down. What actually happened is that the OpenID Foundation noticed 5 VERY SPECIFIC violations of the Open ID spec in Apple's brand new service. The reason that there is security risk here is because these violations present known attack vectors, some more severe than others. But understand that there is no evidence that these violations were even intentional on Apple's part. The OIDC spec is complex and would be incredibly difficult to get 100% correct immediately out of the box. What would be a problem is if Apple didn't either patch their code to address these violations or present some sort of compelling argument about how known attack vectors to these violations wouldn't affect their service. Simply not meeting the spec the first time it is tested against does not signal some sort of conspiracy.

Here is the specific known attack for one of the requested changes.
 

DevNull0

macrumors 68030
Jan 6, 2015
2,703
5,390
No where did Apple say they’ve implemented OpenID but they’re treating this as spec violations.

They're pretending that spec violations are automatically security flaws. Which is pathetic given that this is Google, Facebook, and Microsoft talking about a spec designed from the ground up to rob the user of any bit of security or privacy and track them as much as they possibly can. Apple's "violations" are closing those deliberate tracking and spying vectors.
 

Alan Wynn

macrumors 68020
Sep 13, 2017
2,371
2,398
They're pretending that spec violations are automatically security flaws.

No. At least one of the spec violations opens a known attack vector. OpenID is based on OAuth 2.0 (as is Sign-in with Apple), and this change was to fix that attack. I posted a reference to the attack above (no a recent change, and had nothing to do with Apple).

Which is pathetic given that this is Google, Facebook, and Microsoft talking about a spec designed from the ground up to rob the user of any bit of security or privacy and track them as much as they possibly can. Apple's "violations" are closing those deliberate tracking and spying vectors.

OpenID is just an extension of OAuth spec, with an agreed set of parameters and some extensions. One extension is the option to request more user data. Providing that data is optional (Apple, fortunately, will not provide it, other providers do). OpenID enables tracking primarily by having a third party provide the authentication (that then knows when, where and to what service you are connecting). Apple’s system does nothing to prevent that inherently, it is just that Apple chooses not to capture that data (while others do capture it). It is a policy that makes Apple’s service more private, not its protocol implementation.
 
  • Like
Reactions: ErikGrim
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.