I’m not sure where to put this comment; I guess it could be considered a bug, but I’m not sure on which end the problem is occurring.

I’m setting up a site to accept openID logins, but I can’t log in with thunderrabbit.smugmug.com

The reply I get from smugmug is an object:

Auth_OpenID_FailureResponse Object
(
[status] => failure
[endpoint] =>
[identity_url] =>
[message] => Bad signature
[contact] =>
[reference] =>
)

I can log in to said site with openIDs served by myopenid and livejournal, but not smugmug.

This is *not* mission critical on my end, and certainly not yours. But if you get some time, email me back and we can maybe figure something out.

Thanks!
– Rob

I would like to do OpenID delegation so that I can configure my personal homepage (http://scphillips.com) to be used as my login identifier. By inserting two lines of code into my homepage I should be able to delegate my authentication to any OpenID provider of my choice, e.g.:

This doesn’t work for me. I am able to login to LiveJournal using scphillips.smugmug.com as my identifier, but using scphillips.com gives me the error “bogus:delegation:”.

Any ideas?

Thanks!

Thanks for that additional explanation.

I believe that the virtues of OpenID were obvious to you because SmugMug is a community site and community-based sites seemingly have the most to gain from OpenID. Keep in mind that most developers, myself included, don’t build community/web 2.0 sites and thus might be a bit slower on the uptake.

That’s fantastic news. I’ve been doing this for 5 years, and for most of that time, Shutterfly has required email addresses.

But I don’t do a lot of competitive research, so I’ve clearly fallen behind. We just checked and you’re right – the email-address-required-to-view option seems to be gone.

Kudos to Shutterfly!

I like what you guys are doing with SmugMug but you should get your facts straight.

Shutterfly does not demand an email address (Kodak and Snapfish do) to be able to see your friends photos, when you get an invite. My wife has acounts in all 3 and keeps raving about shutterfly, their photo books and their user friendly site because of that.

again, you’re talking about trust which is not something that OpenID currently attempts to address. But it does provide the foundation for trust and reputation, namely establishing a unique persistent identifier for an individual. If someone spends a lot of time in community A and has established themselves as being trustworthy and possibly authoritative on a particular topic, it would be nice for that reputation to have validity within another community. Communities could share these lists of trusted users so that as people move around, their reputation is known and moves with them. Communities could choose which others they trust to assert reputation… for example, Hotmail may assert all the good rep they want for a user, but that doesn’t necessarily mean I choose to allow it to have any validity in my community. Much more about this can be found by googling for openid whitelist. Of course this is all theoretical at the moment, but the foundation is being laid for this to be a reality.

But I want millions of people to be able to comment on photos at SmugMug. (Our customers want this, too). And SmugMug doesn’t have millions of customers.

See my dilemma?

Now imagine you’re an even smaller provider. Say an independent blog with no login system whatsoever – you’re the only writer, afterall. What then?

Right now (if you restrict comments to registered users), you need only to check against user IDs.

With OpenID, you’ll need to differentiate between spam IDs and spam ID servers. More or less, you’re hand-coding a trust system on the server side. On the upside, it’s probably easier to establish trust with an OpenID server than a user – but that spoils the idea behind OID that everybody can run their own authentication server.

I’ll probably try it out soon anyways – just because