[cmelbye]

I don't understand autho.me, how is it supposed to be better than OpenID? In my opinion, it's worse than OpenID because with OpenID you can at least throw up a webpage at http://openid.yourcustomdomain.com/ and just edit a few meta tags when you need to switch to a different provider. I would personally only consider this if it were open source, and it's not so I can't see the draw.

[zedshaw]

Basically what Steve said in reply to you, but I'll also add that it is open source. I'm using the following library from the author of SRP:

http://srp.stanford.edu/download.html

as the backend implementation, and then you can see the full javascript I've written with view source. The javascript isn't free to use, but you can evaluate it to see if you trust it.

The only thing I'm not releasing is the Lua code that implements the HTTP API, and all the other glue.

Also, I very seriously doubt you go around demanding you see the authentication implementation of every auth system you use. It's rather unfair to say you need to see mine when you don't demand you see Google's.

[tptacek]

It's not unfair to say that if he's got to pick between a clunky but mainstream standard for authentication and something entirely custom, the entirely custom option would need to be (really) open source for him to consider it.

[steveklabnik]

> I don't understand autho.me,

"I'm scared to handle people's passwords. Here's a library that just does it for me, does the right thing, and lets me not worry about it."

That's it. Think of it like installing a plugin to handle your user accounts.