It's great to hear that you want to be able to login to Movable Type using OpenID as an author; I want it as well for my own install of MT. We certainly agree that it is a needed feature that is still planned for a future release of Movable Type though it's software -- we definitely haven't done all the features we want to yet, but we're working on it! That said, we have been doing a bunch of work recently with OpenID.

Movable Type 4.2 (you can download a release candidate from http://www.movabletype.org/beta/42/) adds support for OpenID 2.0 when commenting. By default Movable Type will ship with all of the needed libraries and functionality to act as an OpenID 2.0 Provider and Relying Party when commenting. We're also shipping the libraries needed for OAuth so that as of Movable Type 4.2 plugin authors can rely on being able to take advantage of it in features that they build. Beyond that there's a bunch of great work going on with OpenID within TypePad which you'll see later this year.

Not allowing authors to login to Movable Type or TypePad using OpenID has nothing to do with our not trusting OpenID as a technology. Quite the opposite in fact, we want to make sure we can build great support for OpenID in a way that we can help bring OpenID more mainstream. It isn't a small feat to do it right and laying the groundwork by supporting OpenID 2.0 in Movable Type 4.2 helps get us a step closer.

Both Google and Yahoo IDs are now OpenIDs. I'm not tech-savvy, so this is probably a dumb question: But if you had to ban an OpenID, would it also mess up using that ID on those two large providers?

I've had Akismet, for example, mark me as Spam and I've been battling for weeks to get that corrected. I couldn't believe how many places it affected.

Hey David,

Thanks for the response. It's nice to see you supporting OpenID 2.0 for comments. Will be nicer when you support it for the author login. :)

I understand you want to make it more mainstream by allowing it in comments. I just wish you guys would consume it in your own web app for authors so we can get the extra benefits OpenID offers with centralized authenitcation over the Internet. LDAP is simply not a safe way to do it over the Internet as you have it now.

Hey Mike,

This is one of the reasons I want to use our own provider for login. We can control how to ban that. It would be in our interest to associate an account TO an OpenID in which we have control. In our case, we have our own OpenID provider that uses our company's two-factor authentication system to provide identity assurance when logging in with one-time passwords (OTP) from keyfob tokens. When an employee leaves our organization, we simply disable the token which affects all their Windows logons, email, VPN etc. However, we have to take an extra step to then log into MovableType to disable their account there. If they were forced to use an OpenID we trust, then when we revoked the token, they no longer could use us as a provider.

Now here is where it gets interesting. We don't force our employees to use our provider directly. We recommend they use their OWN url that they control (like their personal blogs) and use OpenID's delegation feature to provide the authentication to our provider. If they leave the company, they can then reset the delegation URL to another provider like Google or myOpenID.

This way, their identity remains in control by them. However our company has the ability to decide which provider(s) we will trust. In our case, we would only want staff accessing company systems once identified with their hardware token.