'Open MS Passport': MyUID Goes Beta

mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."

Flying solo?

[LostCluster]

It seems like this project is only implemented on one site called mastergoon.com, and the /. post comes from a user named "mastergoon". Hmm...

Seems like a one-person project. Very easy to declare standards without all those annoying other people!

That's called a demo site

Where people can login and try out their ID to make sure it works. Notice it's a different domain than the main myuid.com site?

get a free gmail account by signing this

[vivek7006]

From their website

MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.

Whatever happened to Liberty Alliance

Weren't they supposed to do something similar? Sure seems to be taking them a long time.

It's true

[Donny+Smith]

Why is the parent post modded -1?

It's true - individuals have reported receiving up to 6 invitations (Source:
www.wired.com/news/infostructure/ 0,1377,63786,00.html?tw=wn_12culthead
).

At least one of people I invited did not open a Gmail account (the invitation was either forwarded or declined).
I have two unused invitations (I won't use them 'cause I don't know a deserving individual to give it to) and I've invited 4 people so far.
If we assume there's about 1m active accounts (say 3-4 racks of mail servers), there's probably been at least 10m invitations given away.)

I haven't read the API but...

[grahamsz]

Surely you sign on to their secure server and it generates a token which can authenticate you to the third party site...

Isn't that about the only sane way to do this?

Holly cow!

The article has a link to the goatsex guy...Hey editors, are you wake up today????

Carefull!

[Repran]

The mastergoon link contains a picture of goat.cx!

DO not go to the remote site!!!!

[Business+King]

Currently, the remote site is not in a good state of affairs. Someone has decided that html injection is the way to go, and well it has become a porn site. I would recommend not going to it for a day till tehy can get that stuff removed from teh database.

Nice ID/email collect0r

Real nice (if you need email addresses):

http://www.myuid.com/api/usercard.php?uid=12
ht tp://www.myuid.com/api/usercard.php?uid=13
http:/ /www.myuid.com/api/usercard.php?uid=16
http://www .myuid.com/api/usercard.php?uid=18
http://www.myu id.com/api/usercard.php?uid=21
http://www.myuid.c om/api/usercard.php?uid=29
http://www.myuid.com/a pi/usercard.php?uid=32

etc

Laurence Lessig may not love this inititative

[nick_urbanik]

"Code and Other Laws of Cyberspace" points out the dangers of having an infrastructure that allows most people to be identified without great difficulty. I wonder what Lawence Lessig would have to say about this initiative.

I begin reading the book three days ago, and am up to page 78. It's a thought provoking book. I value my freedom highly. I will examine these issues.

Re:Different from MS Passport?

[blowdart]

Lets add to this the fact that the "story" for this reads like a press release, and one that lies at that.

"Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site"

So you can't use Passport on your own site? What utter bollocks. Oh look, there's the passport SDK.

But I can't run it on Linux you cry? Really? Step back a version, version 2.1 has code for Apache/CGI in it (Or did last time I looked). Admittedly the documentation for it is sparse to say the least.

Finally lets look at the story submitted. mastergoon. OK, lets look at who owns myuid.com,

Registrar: DOTSTER
Domain Name: MYUID.COM
Created on: 28-APR-04
Expires on: 29-APR-05
Last Updated on: 28-APR-04
Administrative Technical Contact:
O'Shea Kevin kevin@mastergoon.com

Oh look, it's another shill story. Someone sumbitting a story about his service without admitting it.

When did slashdot become a press release site?

mindlocked.com - better looking GUI?

[snon]

I strongly believe that we need to reduce the number of accounts per person - our attempt at that is Mindlocked which we hope to develop further - especially in terms of distributed/replicated databases etc...

Anyone interested in joining this project (that will be released under GPL soon...) - let us know!

That's my 2 cents worth of marketing =)

Re:Similar but different

[Sancho]

Our power grid is more vulnerable than you realize...

Good idea, maybe not done right

[johnburton]

I think the web could use something like this. Some kind of generic logon that's free, or very cheap anyway, and which is used for general low security sites such as message boards so you don't have to log on to each one. I'm not sure this is the right one though. It seems a bit vague and needs to be a lot more open about policies and security considerations.

Re:Wow.

[the+unbeliever]

eBay gives you the option.

CheckFree gives you the option.

A lot of sites have optional Passport logins.

It's far from a flop, but it's just as far from the raging success Microsoft hoped for.

Re:They need a better email server

[pacman+on+prozac]

A lot of companies receive at mail.company.com and send from smtp.company.com.

That isnt the problem, as you state MX records solve that. The problem is that in this case while "smtp.company.com" resolves to an IP address, there is no reverse DNS lookup for that IP address.

Certain firewalls, e.g. Symantec, have their default behaviour to block mail from hosts who either have no reverse DNS lookup or where the reverse DNS doesn't match the A record.

Liberty Alliance : some explanations

[Seb+C.]

Well, they actually do... But project Liberty is about specification, not implementation. Look at sourceId if you'd like some starting point for an implementation.
But still, The liberty alliance takes quite a different point of view. Passport and My-Whatever- talk about having a centralized server that would keep your personal data (and spread them around when needed).
The Liberty Project is about federating logins :
- You create a local account on some server.
- You create a local account on a "centralized" server
- You federate them.

Now you are able to login in the local server AND the central server, just using your central server login.
And you can have multiple server using this central server. You can actually have multiple central server talking to each other also. And you can even federate our account with many "central server" (it's all related to how the server are bound)

The personal data transfer is not the main goal of this project, but is possible and specified (it's SOAP+XML Security related).

Re:Are we sure this is for real?

[turg]

It says "open" not "open source." It's open in the sense that any web site can use myuid to autheticate users, as opposed to MS Passport which requires a hefty contract with MS.