OpenID - Open Source Single-SignOn

Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."

Hosting Servers

[NETHED]

So this is a distributed ID system, that is open source. I'm not sure that this is a good idea, but am willing to try. Hell, anything beats Passport. I think that if Slashdot adopted this (OSDN), it would attain critical mass.

Re:Hosting Servers

[oKtosiTe]

Something similar is already available in Drupal based web-sites. You only require one single account for different web-sites.
The downside being, you still have to log in on each site individually.

Re:Hosting Servers

[Turn-X+Alphonse]

you forget something.

Slashdot maybe large but live journal's user base (myself included) is also very large. Most of them are idiots (AKA teen girls) so they would instantly start using it and think it was a great idea to only need to sign onto one site ever.

If "average whiney girl mark 3" thinks it's a good idea she will tell her friends and it'll spread like wild fire through the mass market. The geeks can't control this only choose if we listen to the cries or get snowed under with them if this happens.

Re:Hosting Servers

[jamie]

We'll definitely give it a serious look!

Yeah, Slashdot might help raise awareness in the geek community, but as far as general "critical mass" goes, LJ has zillions more active logged-in users than we do :)

Re:Hosting Servers

[soupdevil]

But Slashdot readers are more likely to manage their own sites which would be candidates for using Open ID, which makes Slashdot potentially more valuable.

Re:Hosting Servers

[grazzy]

The link in your signature might be the absolutly lamest thing ever. Congratulations.

Re:Hosting Servers

[Nos.]

And this is the important point. For some reason, users of web services don't typically demand features like consumers do in other markets, at least not to the same degree. New features usually are first designed by site/owners/programmers/designers/masters/etc and then copied by countless other sites.

So, having a large population of readers that also maintain or run sites see and believe in an open system like this is probably more important than the user base knowing about it. Lets face it, if everyone on /. started incorporating this technology into their sites and mentioned it on other sites that are maybe more targetted, this could take off faster than anyone expected. Imagine if slashcode, post/php-nuke (and all the other OSS CMS systems), etc started putting in modules for this. Microsoft passport would become nothing but a memory very quickly.

Re:Hosting Servers

fsck them all!

Geek's revenge.

Re:Hosting Servers

[mattspammail]

And you say that because putting Microsoft technologies out of business has already proven to be so simple?

No, I'm afraid the only way to make Pi$$port go away is to keep it out of sight. It pops up right away after any user logs in initially (in XP). That's why people sign up for that service. They see it pop up, so they immediately fill out the form, like good little form-filler-outers. And web sites see their subscription numbers, and then adopt Pi$$port. Can you say "Court injunction"?

Re:Hosting Servers

[ZeroZen]

So, just like hotmail then right?

It's a good idea, but it hasn't worked. Only people that use passport is microsoft.

Re:Hosting Servers

Slashdot maybe large

"may be".

Why DSA?

[gtrubetskoy]

I coincidently not long ago wrote a paper (ggogle cache) on how to implement RSA-based signle sign-on (using Python/mod_python). Using public key signatures seems like the most obvious way of implementing SSO. I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.

I'm not a cryptographer by any means, but IIRC DSA was put together by NSA as an algorithm that was "crippled" to only do signatures, but not encryption, and there was some controversy because at first NSA wouldn't admit to being the designer, instead NIST was pretending to be one, and then later someone discovered a way to somehow leak bits and it is still a mystery whether this was intentional on the part of NSA or not.

Re:Why DSA?

[kiddailey]

Can you please put a few more acronyms in your post next time? ;)

Re:Why DSA?

[nickovs]

I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.

As a professional cryptographer I certainly don't think that DSA is in any way inferior for the task in hand. It is however superior in one significant way: if you use a 1024 bit key then the RSA signature is 1024 bits, which takes 171 bytes to base64 code, while the DSA signature only takes up 54 bytes.

Re:Why DSA?

I coincidently not long ago wrote a paper

Yeah, really? Which journal was your 'paper' published in...?

Because all I saw when I looked at it was:

"Describes how RSA is used for signle sign-on. This article is written [...]" (emphasis mine)

Re:Why DSA?

[bokane]

Shouldn't that be "CYPPAFMAIYPNT?"

Re:Why DSA?

[kiddailey]

lol Yes, you are indeed correct.

Open

[callqcmd]

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Re:Open

[millahtime]

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Yes. And if you with hold your password, that is like withholding propritary info and not opening it up.

Re:Open

[rootofevil]

your password is already being distrubited

just

cat /dev/random | grep yourpassword

itll show up eventually, after some 31337 h4x0r posts it

Re:Open

[Ithika]

how you gonna know if the 1337 posts show up if you don't do it:

cat /dev/urandom | strings

Re:Open

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Would you prefer a proprieraty system so they could sell your info to third parties without you knowing how?:D

Re:Open

[mazarin5]

I've forked your password:

*****+

Re:Open

[pato101]

[...] GPL and anyone is allowed to modify and distribute it for free?

on the other hand they can't make money from it, unless what they sell is support for that password ;-P

Re:Open

[Trepalium]

Yes, and then SCO will claim that your password is a derrivative work of their password that they invented thirty years ago, and that you need to pay them $699 per CPU to continue using your password.

Wrong category?

Why is this in Hardware? Shouldn't it be... IT?

Re:Wrong category?

[whiteranger99x]

Here you go! :P

Re:Wrong category?

I just can't figure out who would waste their mod points on the parent comment. It's only useful to Slashdot editors, but there's a very low probability that they'd read it. It's much better to alert them of such a problem via email, and most probably, someone has already done just that.

Cool

Now if my bank, my broker, and my webmail all did this I would be one happy person. But this sounds like this would do the same thing as stored numbers on the phone did to me I forgot almost everyones number.

What about world domination?

The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source.

But how are we gonna control the world? Palladium sounds like a better idea...

Certain Information

[teiresias]

while it certainly would be nice to login to one spot and be logged into all my favorite websites, as a webmaster I use different information based on what part of my site the person is logging into. Their username/password might be the same for both pages but a cookie might be set on one that isn't on the other and doesn't need to be on the other or could be harmful if done.

Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.

Also the decentralized nature of the servers has me worried/confused. So if I ran one, would I have everyones authentication information?

Re:Certain Information

[alecks]

So if I ran one, would I have everyones authentication information?

No. Just a token. SHeesh.. i didn't even RTFA

Re:Certain Information

[Doctor+Crumb]

You are confusing Authentication with Authorisation. Authentication is proving that You Are Who You Say You Are, i.e. the purpose of systems like OpenID. Your cookies/etc would be involved with Authorisation instead, deciding what that person is allowed to do on your site.

Of course, if a central signon system doesn't work for you, then don't use it.

Re:Certain Information

Haven't read TFA, but I would hope you could query a service with the token to obtain some user information similar to LDAP.

Re:Certain Information

[sydney094]

The decentralized nature of this is the problem. It is impossible to securely authenticate a person using an untrusted server.

If you ran one, you'd have only your authentication information stored on your server. Then, to authenticate to a remote server, you'd point that server to your server. The remote server would ask your server who you are, and then authenticate you (log you in). The biggest thing is that the remote server has to trust that what your server tells it is correct.

This may have a place in the blog world, where you're mainly looking for an easy way to keep your user profile the same across many blogs, but certainly not anywhere where you'd have sensitive data.

Another point, this is supposed to be authentication and not authorization. But actually, this isn't really authentication either... The difference between the two is really the question the server is asking. In authentication, the question is "are you who you say you are?". In authorization the question is "do I have the rights to perform a task?". With OpenID, the question is "who are you?". There is no verification to see if you are who you say you are (from the remote server's perspective, since there is no trust between servers), so you aren't actually authenticated.

It would be up to your server to determine what rights an open-id authenticated user would have.

Re:Certain Information

[Nytewynd]

You could still use cookies based on the sign on. Instead of getting the sign-on data from the user typing it, you would be getting it from the token and perhaps looking it up on the backend. It makes it easier for the user, and is about the same amount of programming for you. You can still set and delete cookies accordingly.

Decentralized servers are no less secure than if you had a database table of your user authentication information for your application. With SSO, you actually don't need to know the password since it has already been handled. All you need back is the user ID and that they have been authenticated. If you choose to set one of these servers up, it isn't like people are going to start using your server to store their Online Banking information. They will be using your server only to access sites that you run.

On the flip side, if you choose to latch onto someone else's server for authentication, all you will be doing is specifying that you allow anyone authenticated by that server to access your site. You wouldn't even have as much knowledge of those users as you would if you ran your own security.

For the most part SSO is only really usefull within a small environment. Very rarely do I see a need to allow people to access more than one application with the same sign on. Something like passport is nice for the general user, but why would I want the overhead of something like that for my own applications? I'd rather have more control over things. That sort of makes this new product interesting to me, but on the other hand, most of my applications have distinct user sets anyway.

Re:Certain Information

[Elwood+P+Dowd]

That doesn't make any sense at all. The point of OpenID is that you can say "I'm Brad Fitz from Livejournal" and it would check with Livejournal. Isn't that exactly authentication?

Sure, you could lie about being Brad Fitz by saying "I'm Brad Fitz from Deadjournal" but then... those are two separate identities.

Re:Certain Information

[twiddlingbits]

"For the most part SSO is only really usefull within a small environment. Very rarely do I see a need to allow people to access more than one application with the same sign on. " Most IT Security standards require users to use DIFFERENT passwords for each application, of course this is very hard to police. The idea is to prevent loss of the password for one application to give unauthorized access to ALL applications. That problem is inherent in the system described in the article, if a "black hat" steals your ID on the one server he gets your login and its' rights/permissions on ALL servers. I can't see any way to stop this. It makes Identity theft even worse! Within a small corporate environment behind a firewall and with trust relationships among the servers it would be an option, the open source is a plus.

Re:Certain Information

[Omniver]

Actually OpenID is saying more like "you are the same person who claimed this identity before", it is making no claims that you actually are who you say you are.

Re:Certain Information

[nharmon]

Isn't that exactly authentication?

No, authentication is "I am Nicholas Harmon, and to prove it here is my password, secure certificate, and/or biometric signature".

Re:Certain Information

[Elwood+P+Dowd]

Right. And you do that with Slashdot, just like you have in the past.

This, distributed authentication, lets other sites agree that you are Nicholas Harmon from Slashdot.

What have I missed?

Re:Certain Information

[More+Trouble]

For the most part SSO is only really usefull within a small environment. Very rarely do I see a need to allow people to access more than one application with the same sign on.

I'm one of the authors of CoSign, which is a "traditional" Web Single Sign-on system. Really, SSO is explicitly not very useful in a small environment. SSOs are particularly useful in medium to large enterprise environments, primarily because identity needs to be tracked across many different application -- for provisioning, auditing, authorization, etc. An SSO reduces the security exposure in this environment, because the user's credentials are only used during initial sign-on, and not presented to each service.

OpenID's goals are somewhat similar, in that a form of the user's ID is made available to visited servers, without exposing information that might be important to the user. OpenID could be a big hit on the Internet if sites like GMail, Hotmail, and other enterprise environments that do strong authentication were to act as OpenID "homesites". Obviously, GMail isn't going to trust Livejournal to grant a user access to their mail. But LJ might trust GMail for a user to leave a comment.

:w

Re:Certain Information

[iabervon]

There isn't any trust between servers, but a server knows that any identity at a particular server trusts that server, and therefore that the remote server is sufficient to authenticate that identity. If I claim to be iabervon@slashdot.org, and slashdot.org agrees, that should be enough for anybody. Of course, some other site is unlikely to care if I'm iabervon@slashdot.org or not, unless, during an interaction with the site, I tell it to authorize iabervon@slashdot.org as me, because I (the user in the interaction) trust slashdot to identify me.

For example, if I post a comment on groklaw as iabervon@slashdot.org, I could edit it with the same identity but other people wouldn't be able to convince groklaw that they were me, even without any particular trust between sites. If I trust my own server to identify me, and I trust Amazon to have my credit card info, and I tell Amazon that I trust my server to identify me (before I give it my credit card info), it doesn't need to trust my server itself.

Re:Certain Information

[canadian_right]

Mod up.

IT at my work place looks at single sign on every few years as currently uses need anywhere from 1 to 10 ID/passwords depending on the job they do. This is because it is a BIG environment, not a little one. But for most big companies single sign on means getting many different apps to all use the same sercurity method, AND all use one master list for all basic user information, name, id, phone, location, etc... Most new enterprise apps have hooks into popular directories for authentication, but we also have to support legacy apps, and just plain wierd apps. Single sign on would ease admin, no more keeping 10 seperperate user lists up to date, make life easier for users, and improve security as users are less likely to sticky note their passwords ifthey only have one instead ofn 3 or 4.

Re:Certain Information

[jovetoo]

As long as Slashdots' server remains secure.

If you accept IDs from another server, you are trusting that server to be secure or at least consistant although you have no guarantee at all.

How long would it take, you think, before someone makes a "one-shot OpenID" server? As you can read on the page, the author is aware of these limitations.

I hope a site will be able to choose from which sites it accepts authentications or at least know which server provided the authentication and assign a trustlevel based on that. (If the protocol doesn't provide any real way to authenticate the server there is no security anyway). In essence, I have no problem accepting IDs from slashdot, accounts from johndoeblog.com mean nothing to me.

Re:Certain Information

[Elwood+P+Dowd]

I don't really understand. So what if someone creates a one-shot OpenID server? How has this harmed you more than if you'd just allowed the person to create a username and password? Why would you trust them to type in their street address but not to supply a secure OpenID server?

So someone says their FOAF file is available at http://spammer.example.com/0000001. So what? The alternative is they say their username is GNAA_TROLL_0000001. Put up a captcha in either case if you don't want bullshit accounts.

What priviledged access were you planning on giving to Slashdot users but not johndoeblog users? That doesn't make any sense.

Anyway. As the dude says, this is not a trust system. It's just for identity.

hardware?

[EvilStein]

yeah, Zonk, this really belongs in the "hardware" category. heh.

The demo didn't seem to work for me, but others are already playing with it. Kind of cool, really.

What would be *really* cool is if news websites would let us use something like this instead of having to create usernames & passwords for every news site we want to read (or w/o having to leech a login from bugmenot)

Re:hardware?

ff extension from http://www.bugmenot.com/ and you spare yourself from this kind of stuff

luuletaja

No thanks

[Quasar1999]

I'll authenticate with each and every site I visit...

Take MS Passport for example. I log on to MSN webmessenger. I chat with some friends, then I close it down. 3 hours later I decide to log on to MSDN to grab a file, I need to log in with a different account since my messenger account doesn't have the access... fine... I do that... then a few hours later when I go to webmessenger again, I'm auto-logged on with my MSDN credentials.

The only option I have is to force all passport sites to stop caching my username/password and make me type it in everytime, thus defeating the purpose entirely.

This sort of password system is open to all sorts of problems, and not just of spoofing, or somehow being hacked and having people impersonate you... I'm more worried about logging on to some place with the wrong credentials...

Re:No thanks

[peragrin]

Wait are you for or againist Single Sign on?

I'll authenticate with each and every site I visit...

and

I'm more worried about logging on to some place with the wrong credentials...

Are contradictory statements. You can't have both be true.

Single Sign On is nice because authentication is easier. I didn't like passport cause I don't trust MSFT, or any single vendor. Open ID once it has stablized and been tested is a better way in theory.

So who do you trust a dozen or two different companies with various policies, or a single system gone over by experts, and attackers that is designed to provide a single point of failure?

Which one is most likely tocause problems?

Re:No thanks

[Tenebrious1]

No, the problem is that many of us have, and want, separate accounts; the parent mentions MSN and MSDN, maybe the first is personal account and the second from work, and he doesn't want to mix the two. The problem is the cookies; when you hit the Passport sites it just recognizes the last used cookie, so you have to clear that user and log in as another.

Single Sign On sounds really cool, and maybe for the majority of people it's a Good Thing (TM). But for some of us, we have multiple accounts that we like to keep separate, maybe we have different accounts for various businesses we run, or just like to keep our work and personal accounts separate, SSO doesn't work and is unnecessary. So we can be *for* SSO in general, but that doesn't mean we want to use it.

Re:No thanks

You must have misunderstood something. Go back and read the post again.

The guy is saying that he prefers to manually authenticate with different credentials each time he connects to some service. And he wants to do this because he doesn't want some "intelligent" software logging him in automatically using the *wrong* identity.

He even gave an example: When he is chatting with his friends, he logs in using a personal identity, which is *not* his MSDN (work-related) identity. But after he logs into MSDN, it insists on logging him into the chat program under his MSDN (work-related) identity, rather than his personal (non-work-related) identity.

This is a nuisance, and a serious drawback to these one-login ideas.

Re:No thanks

[emc]

The core issue here is that the current paradigm directly ties accounts, identities, and privileges.

What we need is a system that every person has one identity, with multiple persona. Each persona would have privileges and accounts tied with it. Your identity should be available only to those to which you trust it, and persona as well.

Re:No thanks

He's worried that he'll accidentally go to a pr0n site and be logged in as himself, rather than as his secret identity.

Re:No thanks

[Geoffreyerffoeg]

I need to log in with a different account

No wonder you're having problems with Single Sign-On. Just use the same BLEEPing account for everything!

If you're giving too much credentials to the wrong sites, that's an implementation problem with Passport. Ideally, you should give your key to a single master site, which logs you in to different, separate accounts for each other site you visit. MSN Messenger, etc., are pushing the concept a little by making your MSN account the Passport account itself.

Re:No thanks

[Nurgled]

The only reason Passport remembers your last login is because you go through Passport's login page to become authenticated. With OpenID, the way the system works is different and this would be hard to implement.

If the demos and examples are anything to go by, you will enter the identity you want to use onto the site you want to log in as, and whatever is necessary to authenticate that identity will be done. LiveJournal's identity server can validate any identity you like if you have a LiveJournal account; you don't have to use your LiveJournal identity. (I'm not quite sure how that works yet, but the people on the mailing list seem pretty sure that it does.)

I guess if you have multiple LiveJournal accounts things could get tricky, since you can only be logged in as one at a time and the ID server will only work if you're using the right one. Multiple identities attached to a single LiveJournal account is fine, though.

Lame

[pHatidic]

How is this ID? It doesn't identify the person, nor does it even make the claim that it is a unique person. It is just the next in a line of doomed to failure solutions for the lack of Identity on the Internet. Repeat after me:

Pay me 25 dollars (iname) to get a name is not the same as identity

Register with your 'name' and 'email' (typekey) is not the same as identity

Single sign-on (passport, openID)is not the same as identity

Re:Lame

[caluml]

From what you are saying, it sounds like you think that only a SHA hash of some biometric information that doesn't change could be the way to identify someone.

Re:Lame

[iabervon]

There is no feasible way of identifying a unique person presently. Fortunately, few entities care (one is the IRS, which wants to prevent individuals from splitting their income and lowering their tax brackets; another is law enforcement, which doesn't want people to be able to start over with a new identity).

For most things, the only thing that matters is that the site can determine that some entity that claims to have been there before is back. Identity
is about telling that things are the same, not about telling that things are different.

Re:Lame

[pHatidic]

Yes indeed, you caught me. Of course I am a little biased because my startup revolves around this.

Re:Lame

Hey I've got an idea! Let's all get a little chip implanted into our hands or foreheads...

Re:Lame

...and, ironically enough, this is a good example of why this universal identity business that they're probably in (though at least they potentially allow multiple IDs) and you definitely are, have significant drawbacks. People can link together your identities and do things of the sort that were just done to you.

Re:Lame

[Nurgled]

I think the idea here is just to answer the question "is this person the same person I dealt with last time?". It can't answer other questions, such as proving the visitor isn't the same user, or finding out what the user's address is, but for non-critial applications like weblog comments and web forums that's all you need, really.

Obviously no-one's suggesting that a system like this be used to log into your bank.

will this work?

[millahtime]

so, if it's open it's good but if it's M$ it's evil with regards to single sign-on? Aren't there a lot of other considerations with regard to security and single sign-on. Such as one login gets you into banck accounts, and pretty much everything else.

If you really want this use something liek keychain (on a mac) but in general one password to control them all isn't such a good idea.

Re:will this work?

[Doctor+Crumb]

If you had RTFA, you would know that this is not a
Single Signon. It is a Set Of Single Signons. You can have as many identities as you want. The difference is that without something like this, you are forced to have one identity per site, or one Passport ID. With an openID implementation, you can have any number of accounts as fit your needs. One potentially useful scheme is to have one signon for blogs and news sites, and then individual identities for each bank/etc.

Re:will this work?

[winse]

Interestingly M$ just announced that they would be making an implementation of the newest Liberty Alliance spec as well. So I believe that you could buy SUN, Novell, M$, CA, SAP for your site and they will interoperate. This is a sort of admittance that Passport isn't being adopted by anyone besides M$ themselves...at least in my book. The question remains of how well the M$ product will play with others.

Re:will this work?

[KillShill]

actually in this case, it doesn't matter if it's MS or Libra , they're both implementing an evil idea.

there are just too many problems with it. personally anonymity is good, even with all the problems we have now.

i don't want to be tracked and have all the information in a single place for someone to search.

it's 84 years after 1900 AD, do you know where your children are? unfortunetly, yes... i also know where my neighbor and everyone i care to stalk err investigate/frame.

no thanks.

it's not the technology that's evil per se, it's the fact that more than often, it'll be abused and used against people that's the problem.

yes but

[zxnos]

if anyone can set up a server authenticate does that mean they can access my information? or track my movements? i am thinking of abuses.

Re:yes but

[millahtime]

or track my movements

they could track your movements and sell that info to marketing compaies in the same way that credit card compaines do that.

Suddenly....

Suddenly single-signon, long viewed by the open source community as evil because of numerous reasons, becomes the darling of the open source world.

Here's a clue. Novell has already mastered single-signon and federated identity management. They've had it for a few years now.

Re:Suddenly....

[Fox_1]

I worked as an outside vendor with an internal part of novell (few 100people maybe) that built a beautiful SSO system - linux based and accessed novell software components better then the novell software. The solution was supposed to be for ASP's (application service providers - something from the bubble days) and allow them to link products from multiple vendors together so not only could it manage websites, but other network applications (even if they are hosted on someone else's network the other side of the continent like my companies). It wasn't an open product, and the day before we were to go live (even had a contract that would have made it profitable from day 1) Novell Laid Off 10,000 people across the company to save money (the bubble was just starting to burst). Among that 10K were my poor SSO friends, and of course 6 months of work on my part was wasted too.

Re:Suddenly....

ASP's (application service providers - something from the bubble days)

What ARE you talking about? I work for an ASP, and I sure don't feel like I live in a bubble, you insensitive clod!

Seriously though, our profits have steadily grown since the dot.com era - that in itself says a lot. Furthermore, it's the ease of use that ASPs provide that makes them helpful, since an authenticated user can access the application from any web browser.

Hmmm....

[absolutemeg]

It just seems smarter not to put all my eggs in one basket, as it were, and not have everything I do tied to one username and password. I think a variety of logins makes my information more secure, and makes me more apt to remember to sign out of things, and not leave myself vulnerable to having my IDs compromised. But I'm not a true techie, so maybe there's some amazing aspect of this I'm missing out on.

But, for the record, I hate Passport with a passion, and I also hate having to sign in to comment on blogs or journals.

Re:Hmmm....

It doesn't make sense, catch my info once and access all of my credit card accounts, bank accounts and pRon? I dont think so.

I hate boards with rules. http://www.therandirhodesshow.com/randirhodes/mess ageboards/index.php?act=boardrules what happened to free speech Randy?

Re:Hmmm....

[jim_v2000]

I think a variety of logins makes my information more secure

I'm just pondering, but I think that you would also have to consider that for a person to use your password, they would have to know the sites that you have logins for, and also they would have to know that you use the same password for everything. I suppose that's not too far out that they would suspect you use the same password, but it would be more difficult to figure out the websites you visit/have logins for.

Re:Hmmm....

[Suppafly]

so maybe there's some amazing aspect of this I'm missing out on

There is. Comparing OpenID to Passport is comparing apples and oranges, they work differently and have different purposes.

Re:Hmmm....

[absolutemeg]

Most people who lack any grasp of web security or technical knowledge tend to use the same logins for everything, which I suppose is what would make this a popular thing. But I like to mix it up, for sure. And I don't think it would be all that hard for someone to trace what sites I was on through a few quick searches...someone with some know-how. If I was a person interesting enough to do that with:).

If you only did have one login, though -- as this program would ideally suggest you do -- they'd only need to figure out one password to have access to everything, right? Which makes it, I suppose, no different from people who use the same login for everything.

But I like not being one of those people:).

Re:Hmmm....

[Nurgled]

I also hate having to sign in to comment on blogs or journals.

That's essentially what OpenID is for, I think. It's a way to not have to have an account at every blog but still to prove that you are the same absolutemeg that posted on some other blog, or that posted on the same blog a week ago.

It's certainly not intended to be used for anything important, like bank sign-ins or online shopping.

Good Luck With That!

[Spencerian]

In the business world, directory services are dominantly Microsoft's Active Directory, which is essentially a variant of LDAP, which is common in other operating systems. If this thing can't link up or mate to existing directory services, they're screwed. Very, very few companies will want to have to redo their entire directory service just for the fun of it. AD uses Kerberos to handle things, so it's not like there's not a possibility of linking Linux or other boxes to an AD tree in some capacity--if an AD plug in or process is available.

Not to mention that MS makes it worthwhile to move by allowing SSO functionality not only with their products but through support of third parties. This thing is bush-league in terms of what it can really do for folks now. Not that I wish them ill, but the winds of change are tornadic when you deal with the MS juggernaut. Metaphorically, you can't just offer a better butter like these guys, but you have to offer a better bread, how to bake it, steps on making your own butter, and new flavors. You have to offer a complete solution as well as a complete, hassle-free, and justiable means to move to your product. I know it's Open Source, but simply being "free" isn't enough incentive.

Hell, even Apple offers support for Active Directory in their OS.

Re:Good Luck With That!

[awb131]

There is, in fact, such a way to hook up linux boxen to an active directory server. Samba's pam_auth_winbind is working like a charm on my Fedora FC3 box; it maps DOMAIN\user to the unix user "domain_user", auto-creates your home directory, you can use your AD login to check mail, etc.

Re:Good Luck With That!

[Alioth]

I think you misunderstand the purpose - this isn't for providing authentication/directory services within an organization, it's for doing something similar to Passport - allowing someone a single sign on to a large number of different web sites.

NEEDED

I am not disputing the value of anonymity, but ID services that are open and free are need. Otherwise these services will gravitate towards Yahoo, Google, MSN etc. Make you choice, free or them.

Re:NEEDED

[starfishsystems]

Actually, there is nothing to prevent strong anonymity from working within an authenticated identity framework.

All you need is to provide a service which allows a user to create an identity named "anonymous1234" for example. The user receives a private key and a certificate signed by your certificate authority, both of which are unique to that identity.

The user can now assert that unique but anonymous identity to other services by presenting the certificate. Those services will, of course, be selective about which certificate authorities they accept, so on that basis they can choose whether or not to grant access to the anonymous identities provisioned by your service. Even better, the X.509v3 certificate profile has a "policy" attribute which aids in making this distinction.

Re:What?

[Tibor+the+Hun]

You're not missing anything.
I believe this phenomenon is called a "mistake".
It happens every now and then when people do things, but end up with results that are unexpected and not satisfactory.

Depending on the level of damage that such a "mistake" causes, people have differing reactions.

Some people react quite analy to even the slightest of such perturbations, perhaps making a note in their daily blog, while others recognize them as being insignificant, and go on happily about their lives.

More information can be found here.

How is it going to stay "single"

[m50d]

when everyone can run a server? I can see this being used for signin across multiple websites run by the same company, but not much else. You certainly won't have a single pervasive ID.

Re:How is it going to stay "single"

[Alioth]

Because if you log onto a foreign web site, it says, "Ah, this person is giving me an id which is stored on another server. Let me ask that other server if this person is known to them". If the other server knows this, it returns a token so now you know that the other server authenticated. (You can then associate things with this token for when the user next visits your server).

So basically, if you're logging onto the web site where you are registered, it simply makes a local call to a local database. if you provide an ID registered at another server, instead of the webserver looking in its local database of IDs, it asks the remote server if it knows the user. That way the user doesn't have to register with your site, too.

Re:How is it going to stay "single"

[m50d]

Doesn't that mean you have to trust not only the makers of the protocol, but also absolutely anyone, since anyone can run a server and give themselves an ID on their own server? Making the ID worthless?

Single signiture sign-on

[0xABADC0DA]

What I want is a system where I go to a site requiring a login and it asks my browser to sign some data with my private key. During the account creation I send the server my public key and that's that -- no need for a password and the login could be done automatically using cookies or something. Then there is no need for a single sign-on provider and nobody can globally revoke my account at all sites.

You could still have an 'id provider' that could sign the data on your behalf if you are on a internet cafe for instance, but it would not be required by design. So in 'kiosk mode' the browser could just forward signiture requests to the authority after you logged into it (which could even be your home computer).

This should be pretty easy to do as a firefox plug-in.

Re:Single signiture sign-on

[scaldef]

The problem with this is that really security conscious sites (like your bank) won't go for it. The reason is precisely the bit you put in italics. Financial institutions want, as much as possible, to authenticate actual people, not computer programs.

Re:Single signiture sign-on

[0xABADC0DA]

I'm not trying to get more karma, but there are other advantages that I thought of:

Firefox could have an 'identity manager' that stores your public/private keys along with the name, address, phone, etc for that key. Then for a "fox-id" enabled site FF can automatically insert that data into the appropriate fields; the user would still have the ability to edit/delete individual data before sending it. So from a user perspective it could be a simple one-click "Use this id" drop down selecting the id to send. Most users would just use one id because they don't care about their info being private, but savy people could still create a different id per site or just different levels.

Companies don't like relying anything external that could go down and impact their business, so they would take to a system where for most users there is no 3rd party -- all interactions would be between their site and the user's browser. Companies also like to have real information, so sites that really care could cross-check your public key against some authority (ie ask VISA if your public key matches your credit card info). Most sites would still allow anonymous access, but ones that cared like online shops could validate your info for cheap and so would reduce fraud -- you could no longer buy just by stealing somebody's credit card number, you would also need their private key and personal info.

Also sites could just include the user's login in the URL as the login, so going to slashdot.org/~0xABADC0DA would automatically log me in but nobody else because only I have my private key.

Of course there are downsides, like companies that buy your public key and info so they can put your name on the page even the first time you visit, but this could be managed by needing to add trusted sites in your browser config (like for cookies). It would also let companies tie together all you purchases even across keys based on matching the names, addresses, etc. But this already happens, so what's the difference?

Re:Single signiture sign-on

[Elwood+P+Dowd]

You could get some of the benefits of such a system by hosting your own OpenID server.

It sounds like the features of OpenID are bound up in the features of FOAF, so I think the alternative you are describing is more of a tradeoff than a plain improvement.

Maybe OpenID could be designed so that ID providers are not necessary if you handle your own key pair, but it wouldn't be all as simple as you put it.

Re:Single signiture sign-on

[cr4p]

What I want is a system where I go to a site requiring a login and it asks my browser to sign some data with my private key. During the account creation I send the server my public key and that's that -- no need for a password and the login could be done automatically using cookies or something. Then there is no need for a single sign-on provider and nobody can globally revoke my account at all sites.

Interesting...That sounds a lot like what client-side SSL certificates can already do in most web browsers that support SSL. I haven't heard of any sites making much use of client-side SSL certificates, though.

Re:Single signiture sign-on

[E_elven]

And this is why our customer service department gets approx. two to three hundred calls a day from users who accidentally cleared their browser's STORED PASSWORDS.

Re:Single signiture sign-on

[scaldef]

My bank, at least, sets thing up so that your browser can't (or shouldn't) save the password. In fact, it won't even save my account number.

Re:Single signiture sign-on

[Erwin-42]

Denmark (!) has this feature. As a Danish citizen, I have acquired a SSL client-side certificate which I've installed into my browser. It is protected by a master password of course, but using it I can go to any site (mostly governmental services but also e.g. my cell phone provider lets me log in with it so I can check my cell phone logs or buy talk time) and be securely logged in, or use it to sign my email with a key verified by a government-sponsored organisation.

If permitted sites can access your information such as address or the Danish equivalent of SSN, but other sites can simply attach your signature to an account so you only have to remember your one master password.

The digital signature can also be used to enter a binding contract via the Internet, though I don't really know which sites use this feature.

One of the governmental services includes a site where bills, bank statements and official documents such as those from the tax office sent to me are stored as PDF files. All bills I get are paid electronically of course, but now a company can sign up for this service where such documents are stored on a server accessible to you as PDF files from anywhere.

Re:Single signiture sign-on

I'm not trying to gain any karma or anything, but why don't you submit all your passwords to bugmenot? then if you use firefox with the right extension, next time you log on to your websites, your information is all filled-in for you!

Couldn't be easier! I do that with my bank account, hotmail/gmail accounts, amazon... it all works just fine!

Re:Single signiture sign-on

[dingman]

The only one I know of is Geotrust. That said, it's *really* nice. Experiencing it as a client there makes me want to impliment it for my own sites.

Re:Single signiture sign-on

[quantum+bit]

Some browsers are, by popular demand, staring to be able to override this and put control back in the hands of the user.

I know there's a Greasemonkey script for Firefox that disables that "feature". Wouldn't surprise me if there was an IE plugin somewhere that did it too.

Re:Single signiture sign-on

[quantum+bit]

I actually ran across one the other day. One of our accountants was asking me a question about some corporate access Bank of America site. I noticed when she was logging in that it was authenticating with a client certificate.

Kind of freaked me out -- I knew it was possible but had never actually seen a site that used it.

Re:Single signiture sign-on

Financial institutions want, as much as possible, to authenticate actual people, not computer programs.

That's because we have a ton of really half-assed and breakable authentication systems in place, and our current hack is to allow financial systems to totally bypass any form of privacy and know lots of personal data. Credit card companies love this, because of the monitoring potential (and the excuse of preventing fraud with their horrendously fraud-prone system).

You can damn well bet that if I can make up a ID that isn't tied to my real ID and use it to do financial transactions of the PayPal sort (except perhaps less scummy than PayPal), I'd do it in a moment.

Re:Single signiture sign-on

[Nurgled]

In the ideal world where everyone uses keys and certificates, you'd get an instutution like the passport office to give you a certificate saying who you are. Your credit card company would also give you a certificate saying that you are a user of their credit services. You would supply the relevant certificates, signed by an organisation trusted to provide such a certificate, to the sites in order to log in, just like you might show your passport and a proof of address to a bank when you create an account, and like when you present your credit card to a merchant to make a purchase. LiveJournal could even give you a certificate saying that you are a given user at LiveJournal, thus allowing you to prove that to other people.

Unfortunately, all this stuff is hard to do right and users don't understand it, so it's unlikely to happen without some radical changes somewhere. OpenID and similar systems solve the very specific problem of knowing whether the Tom who is posting in some forum today is the same Tom who posted last week, and is the same Tom who posted in some other forum. It's not a magic bullet to solve all identity problems.

Re:Single signiture sign-on

Yeah. It's called SSL. You might have heard of it sometimes?

Already have single sign-on

[Dangero]

I already have a working single signon. It's called Windows XP login, using IE with autocomplete turned on you never have to enter any passwords online. IE works better than Firefox; as unpopular as that is to say around here. I just can't subscribe to all the Microsoft Bashing.

Re:Already have single sign-on

[iGN97]

I just can't subscribe to all the Microsoft Bashing.

Maybe if MS Outlook worked better, your subscription mail to the MS bashing list would be delivered successfully.

Liberty Alliance anyone

[hal9000(jr)]

Any reason to think this will be more widely adopted than liberty alliance initiatives?

The reason I ask is that the technology is a walk in the park compared to the much more difficult problem of trusting an external system to authenticate for you.

Re:Liberty Alliance anyone

[cpuh0g]

No. It will almost certainly not be adopted by Liberty alliance. LI already has a ton of standards and protocols (open) that they use, I seriously doubt they would change at this point.

Re:Thinking.

[smittyoneeach]

Given the amount of Microsoft, Apple, Google, and other big-name-company stories that, otherwise inexplicably, have been termed "news", and "stuff that matters", yes.

Re:What?

[wolfgang_spangler]

This under the hardware category... am I missing something?

Yes, a life. Hmm, that sounds much harsher than I intended it, but you may be paying a little too much attention to /. if you noticed/care about that.

Fortunately for those AD users...

Novell has provided a superior solution. Novell's directory is not only superior to Active Directory in almost every way, it also has the ability to provide universal single signon. It does this via federated identity management and has been available for several years and have proven to be more reliable and secure than any Passport solution.

Also, for those that already suffer under Active Directory and do not wish to rip and replace their directory infrastructure, Novell provides the tools to let eDirectory manage Active Directory and synchronize directory changes between the two.

Similar to what you stated, but better, Novell's eDirectory allows for easy integration of all systems including Linux, Mac OS all, Solaris, Windows, AIX and more. eDirectory is fully accessible via standards based LDAP and does not suffer from proprietary Kerberos extensions that impede cross platform integration.

LID

[ibku]

http://lid.netmesh.org/ - I've heard good things about LID, and it supports SSO.

Finally!

[El_Servas]

I hope it work with AdultPass sites too.... it's a nuisance to have to remember all those IDs...

Bad idea

[77Punker]

Throwing one password around to control everything?
That's a fine example of putting all the eggs into one basket.

Count me out.

Re:Bad idea

[Suppafly]

See what happens when you don't read the article, you end up not understanding what it's about and then you make stupid comments.

Anyone

[varmittang]

Did I read that right, that anyone can run one of these OpenID Servers. So now I can setup a server and have everyone's passwords and usernames filter into it. I'm not to sure about this.

Re:Anyone

[Suppafly]

So now I can setup a server and have everyone's passwords and usernames filter into it.

No, read the article and try to understand it before commenting.

Re:Anyone

[varmittang]

Ok, so when I sign up for a blog I get the chance to post else where with sites that support OpenID. What if I get a free blog, and after some time, they make me pay. How am I suppost to take my OpenID with me?

And what keeps me from making a blog site and using OpenID. When someone posts to my site, what keeps me from getting their password, because OpenID is passing info on the person that wants to post to my site in the background. What prevents this service from becoming the next fishing ground for personal information?

Re:Anyone

[Wesley+Felter]

What if I get a free blog, and after some time, they make me pay.

Free services are scams.

How am I suppost to take my OpenID with me?

Run your own OpenID server using a domain name that you own.

And what keeps me from making a blog site and using OpenID. When someone posts to my site, what keeps me from getting their password?

Only your homesite sees your password.

Re:Anyone

[varmittang]

Well, I don't have a Gmail account so I don't know first hand, but the last I heard, it was free. So its a scam. I know its not a blog, but I'm just going after the anything free is a scam part.

Now everyone that wants to use and OpenID has to get domain name, which you have to pay for, and setup their own server if they want to be sure not to loose their OpenID. Right. I know I can do it, but my parents can't. This is suppose to be for the non geeks too right.

And what keeps someone from hammering my server then and some how getting it to spit out my password, or maybe I missed a patch, or that non geek person missed it.

I'm sorry if I'm raining on your parade, but I have to point out some of the weaker parts.

Re:Anyone

[erlenic]

The "default" way to use this is to find a site you'd use all the time and have your ID stored there. If that site folds, oh well. What happens to the .Net Passport your parents have now if Microsoft decides to ditch Passport? People who don't want to trust another site, like you and many other geeks, could run their own servers.

Embrace, Enhance, Proprietarize (is that a word?)

How many want to bet if this takes off, Microsoft will EEP it (Embrace, Enhance, Proprietarize) and turn it into a closed "standard" and force it onto the Windows addicted populous (which at the moment is a large percentage of desktop users?)

Already forgot about the Liberty Alliance spec?

[KrisWithAK]

This is yet another attempt at a SSO solution. It is not too hard to come up with a rough design for one. The main problem is getting a significant number of sites to use the same one. Otherwise, what is the use? Marketing/advocacy is needed for that.

Although I admit I have not tried it out yet, have people already forgotten about the Liberty Alliance Project? There already exists an open source implementation, SourceID. Why not contribute effort to working with that library? Or if you must have the enjoyment of writing your own implementation, why not at least try to be interoperable with an existing spec?

Re:Already forgot about the Liberty Alliance spec?

[kevinbr]

Or more relevent is SAML, which is the OPEN standard for Authentication and Authorization that is at the heart of Liberty. You can use SAML without having to implement the full liberty spec. See OpenSAML, a open source Java based implementation. BUT, there are some patent issues around SSO.

Wanted: One problem. Already have solution.

[pla]

Passport didn't fail for lack of Microsoft's trying, or even all that much on (lack of) technical merits (it had flaws, no argument there, but for the most part it did work acceptibly well).

It failed because, on the corporate side, no one wanted to hand Microsoft another monopoly, over the "electronic identification" market - Thus, really only Microsoft-run sites and a handful of "partners" accepted it. On the personal side, those who actually care about such issues abhorred the idea of having a single, non-anonymous identity, and those with only little bit of a clue liked it but worried about how microsoft would treat their information (while the masses of lemmings out there use the same password for any website that asks, their ATM pin, and their email, so didn't have a problem keeping track of all those nasty passwords in the first place).

And what do we have with this new system, that will make it any better?

Companies might use it, but they'll each want to run their own server, making it no more useful than just having 200 accounts spread across as many websites, as we have now. Those who really understand all this still won't want to use anything that doesn't guarantee total anonymity, and those with a partial clue will still worry about who can do what with their info. And, of course, the lemmings will just see it as one more request for their ATM pin number, but otherwise won't notice the difference.


We need decent MS office import filters. We need a solution to spam. We need a cure for cancer. We need new games that don't suck. Please, people, if you code in your spare time, STOP WASTING TIME SOLVING NON-PROBLEMS!

Why not just use Shibboleth and Pubcookie?

This is a problem that already has a solution in production. Using pubcookie for the single sign on, and Shibboleth for the distributed trust relationships.

Re:Why not just use Shibboleth and Pubcookie?

[spyder913]

We use pubcookie all over here at the U of Washington, and it is very nice.

Teen Girls

idiots (AKA teen girls)

You just sent LiveJournal's membership higher than that of AOL.

Gotta run. Gotta get over to LiveJournal and sign up!

Public key authentication

[irc.goatse.cx+troll]

I didn't RTFA, but ever since Passport came out I wondered why they would want to auth to a remote server when you could just auth to your key, then have your browser act as an agent(or forward to ssh-agent) and let the remote host auth via pubkey, exact way that works securely and easily for ssh.

The way my X11 is setup now all I have to do is startx, enter my password in ssh-askpass, then I can freely ssh to any server I want without entering a password. I can also ssh from there to another server, still passwordless, still based on my original authed key.

Why not just use SAML?

[ProgressiveCynic]

This problem is best solved using standards, not by supplying a new software platform. SAML, Shibboleth, and Liberty have all been around quite a while, fill this need quite nicely and a number of different implementations of each protocol exist, including FOSS and commercial options. Features like pseudonyms and selective information sharing are already there. Why do we need another way to do this?

Re:What?

[maxwell+demon]

Well, if you prefer it, you can also read the IT version of the story. Or maybe you prefer Your Rights Online?

Defeating security...

[Darkon06]

Doesn't this make it THAT much easier for a break in, or identity-theft? Now if tons of sites and companies support this, hackers only need to break through ONE barrier to steal your identity. In general, anything that makes the user's experience easier, it also makes it less secure. But thats just my .02

Yes, we authenticate our Apache servers against AD

[wsanders]

Inexplicably, AD seems to interoperate with other Kerberoses. In my current contract a Generic Huge Financial Services Company we authenticate our Apache servers (internal, htaccess-type auth) running on Linux against AD. No reason why we could not add our Solaris and Linux login authentication to that.

I do not administer the AD boxes, those guys are on a different continent, so I don't know what kind of kludges those guys had to go through to get this to work. But in view of the recent Scott McNealy - Steve Ballmer kiss-fest over Solaris-Microsoft interoperability, yes it isn't much of a stretch anymore.

This is On Topic because I agree with the original poster - any SSO has got to work with AD to be successful.

One password for each system

[xv4n]

I prefer one password for each system I sign in. That's The Right Thing.

Would you like to have one single key to open any door, lock, car or locker you have?

Single sign-on.... What's that? too lazy to memorize a bunch of passwords?

Re:One password for each system

Would you like to have one single key to open any door, lock, car or locker you have?

Since most of them are on one key chain anyway, it would be kind of nice to just have one key.

distributed != decentralized

[PureFiction]

Yadis is correctly described as distributed single sign on, not decentralized single sign on. Everyone still has their dedicated central identity server, it's just that requests from other sites can be delegated to your server instead of requiring only one for everybody.

distributed != decentralized!

Single signon vs same password

[FooBarWidget]

Can anyone tell me what the single signon hype is all about? How is single signon any different than using the same password for multiple websites?

Re:Single signon vs same password

[99BottlesOfBeerInMyF]

Can anyone tell me what the single signon hype is all about? How is single signon any different than using the same password for multiple websites?

Well, for starters you don't have to worry about different sites knowing your username and password on other sites. If you use the same username and password on all sites a sysadmin at one site can go to another (popular) site and try all their saved userids/passwds against it and will probably get access to a number of accounts. With OpenID they get a one time token and you can have as different of userids and passwords as you want, but still have single sign-on.

Re:Single signon vs same password

[FooBarWidget]

"Well, for starters you don't have to worry about different sites knowing your username and password on other sites."

Does that mean that with single signon, the password is stored by a third party, and the website itself doesn't know your password?

Re:Single signon vs same password

[cpuh0g]

Single sign on means that you enter your password ONCE - in a secure manner. From that point on, you have a set of secure credentials that are passed around and used for authentication, you do not have to enter your password ever again and noone on the other end actually knows your password. They validate your credentials, not a password.

Read up on secure third-party authentication - Kerberos, for example.

Re:Single signon vs same password

[99BottlesOfBeerInMyF]

I know a lot of people don't want to take the time to read the article but at least read the article summary before you comment. "The site you are authenticating with never sees your username or password, just a one-time token."

Re:Single signon vs same password

[mabhatter654]

At work I have passwords for at least 7 different systems/ programs on a DAILY basis!!! The poor System engineer has upwords of 25.

Why? because every system has a different way of doing things and no good way to talk to others... unless of coruse you go for the full MS Kol-aid. The whole idea is that of being centralized to what YOU want to trust. In an enterprise setting you can point all your independant devices to one place... in an internet environment you can have "trusts" between sites... Then I could use the same screen name at many websites.. slashdot, fark, republican national convention...etc.. if they choose to trust each other that would be enough...

Think of it as "you know a guy, who knows a guy..." or "a friend of a friend..." ad hoc like in real life... not centerally controlled!!

Free as in Freedom

[RealProgrammer]

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

That's a common misconception. We have no problem with people making money from your password. It's the attempt by some to restrict freedom and keep your password all to themselves that we are against.

We would support, for instance:

• sending your password out on a tape and charging $100 for the tape.
• charging you $100 for your use of the computer resources on which your password is stored
• charging you $100 for the support of your password
• charging you $100 for this response

Your password wants to be Free. We urge you to set aside the bondage in which your password is held and join with us for a better community.

[Gnoll mode: OFF]

Re:Free as in Freedom

Classic! =)

Why are they calling this identity?

[Daedala]

I like this quite a bit. However, I think it's suffering from the same problem most people have with the term identity on the Internet -- binding.

"Identity," formally, means who you are -- the unique person with your identity. I'm not going to write my real name here, but that's my identity. No one else is me: my identity is bound to me, even if there are people with the same name.

"Identity," colloquially, means "that person I know." You may not know me by my name. You know me by "daedala." That's my handle. I always post here as daedala, so that's my consistent presense on slashdot (and my journal, and my email, and most other places I post...).

It's pretty difficult to establish a unique identity, bound to an individual, on the Internet. People screw this up all the time. It's not nearly as difficult to establish a consistent handle. From my review of this system, what it's doing is the latter.

So really, they should be calling it OpenHandle.

Re:Why are they calling this identity?

[premchai21]

Argh! "presence"!

Re:Why are they calling this identity?

[PigleT]

An identity is a (person,role) pair, such as "daedala that posts on /.", or "daedala who runs a particular website", etc. The real world is no less prone to the same problem: "Fred who pays his taxes" and "Fred with a particular driving licence" normally tally - but they don't, otherwise we wouldn't have a bunch of problems with forged ID documents of various kinds.

I'd go so far as to say that getting to know someone is the same as piecing-together a sizeable number of these facets about them, but at the end of the day, all I know is (friend, [phone#,locations,style,appearance,[handle..],..]) etc.

Re:Why are they calling this identity?

[Creepy+Crawler]

What is self?

Isnt self your real identity? Does it really matter if you're Paul Whackabee, Jonah Jackson, or Jason Voorhees?

We could argue that your DNA is self, but it isnt. When you bleed (from an injury), does your self leave there? Or on surgery, does your self go away there? Of course not.

If you were a perfect twin, are both of you the "same self"? Nope.

Logically, we must conclude your self is actually some instantaneous moment of your crystallized product of your knowledge.

That goes deeper in.. Does your self change? Yes it does. Can anybody predict what change you will enact in the next moment? Nope. We can therorize upon observing prior behavior, but no snapshot can ever show true self.

Like I ask above... What is self?

Re:Why are they calling this identity?

[Nurgled]

If you post on slashdot and then run off and post on LiveJournal, both as "Daedala", no-one has any guarantee that we're dealing with the same Daedala. With OpenID, assuming you used the same identity (a word I'm only using because that's what they're calling it), other people would be able to know that the two are the same.

It's not a total solution, and only answers one question: "Is this the same person as I saw before?". It's a useful question to answer when it comes to interacting with people, though. It means that (on an OpenID-supporting, trustworthy site) no-one can pretend to be you.

Re:Why are they calling this identity?

[Sjobeck]

Ahhhh, what is self? Who am I? Why am I here? Is Dubya correct that this will all be over in 20 years? What is love? Is hate the opposite of love or the absence of all emotion? Can a robot love another robot? Can Dubya love?

Brad is pissed!!

Brad at LJ LOL

Identity can be decentralized, authenticity can't

[Omniver]

Authentication (username - password/tokencode/biometric/whatever) is generally the first step to establish a digital identity. This reqires some trusted source to be able to judge if the credentials are sufficient to establish the identity.

From my quick reading, OpenID doesn't try to do this and leaves this up to the "identity provider" which can be a centralized service or even my own home system. OpenID is more concerned with mapping whatever identity the user chooses to use consistently across the sites they visit.

This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is (like Slashdot), but makes absolutely no sense for any site that actually needs to know something about its users (banking, commercial, etc.) Until such time that there is a commercially trusted source of identity (yah right), sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.

IMO: This is doomed to blogspace and sites where liability is not an issue. If you're serious about SSO, look to SAML.

I am a cryptographer, and this isn't so.

[Paul+Crowley]

I don't think RSA is overall more trusted than DSA, and I certainly don't see a way in which it's more flexible for this application. It was designed only to do signatures, but that's fine, since only signatures are needed here.

When you say "leaking bits", you're probably thinking of subliminal channels, and you're referring to some rather out-of-date information in Applied Cryptography. It's now established that all secure signature schemes have subliminal channels; they have to be probabalistic for the security proofs to work, and that's enough to give a "low-bandwidth" channel for anyone who doesn't know the signing key, or a "high-bandwidth" chanel for those who do.

DSA is a perfectly good choice here.

This is just an answer to EZboard single signon

[Animats]

This is just LiveJournal's answer to EZboard's single signon. You can register for any EZboard blog, and reuse the registration information with other EZboard blogs. It's centralized, but it's a feature that LiveJournal and its affiliates don't have. Google and Yahoo also have common sign-ons across their various services. So the LiveJournal people had to do something to keep up.

It's not helpful for e-commerce, corporate intranets, campus-level signons, online banking, or spam prevention.

Re:This is just an answer to EZboard single signon

[ckelly5]

My problem is that LiveJournal *is* SixApart, makers of TypeKey. So why not just convert LJ accounts to TypeKey ones?

(it's not that easy, of course, but it would have made more sense to me to use your parent company's SSO technology than to implement a new one)

Re:This is just an answer to EZboard single signon

[ffrinch]

Eh? LiveJournal accounts already work across all LiveJournal journals and communities, plus the new photo gallery thing. It already has what EZboard has. This is for interoperability with non-LiveJournal sites like DeadJournal (which people have been wanting for a long, long time) or whatever. It's for signing up at EZboard and using that account to comment at LiveJournal. They're using this over TypeKey (even though LJ is owned by Six Apart) because no-one wants centralized authentication.

kerberos?

[FranTaylor]

How is this different from Kerberos? Why not just use kerberos?

Re:kerberos?

[ProgressiveCynic]

Ummm, this is intended for use over the Internet... 'nuff said.

Re:kerberos?

Do you even know what Kerberos is?

Re:kerberos?

[Creepy+Crawler]

Evidently not.

Re:Yes, we authenticate our Apache servers against

[Colin+Smith]

It's fairly easy for Unix boxes to authenticate against AD. The reverse is not true for Windows machines.

"any SSO has got to work with AD to be successful"

Not true. The Internet and Intranet are entirely different environments. One is controlled and usually managed centrally, the other is uncontrolled and managed in a distributed fashion. A solution which is appropriate for one may not be appropriate for the other.

Multiple networks...

[argent]

This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is

Since sites like that have a real problem with identifying people so they can sanction spammers without making it too hard for regular joes to participate, this is a valuable tool. If it can be used more widely that's a bonus... and you have already suggested one way it COULD be used more widely:

sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.

Re:Multiple networks...

[Omniver]

sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.

Yes, OpenID could be used for this, but there already exists an open standard for this that is supported by nearly ever major vendor - SAML. Why invent another wheel.

Why Hasn't SAML Been Adopted?

[Vagary]

For whatever reason (could someone wager a guess?) SAML has not been widely adopted (and don't try to argue this point). Maybe this will rectify whatever deficiency SAML has? Or maybe the project is just to create a widely-usable SAML authentication authority?

Re:Why Hasn't SAML Been Adopted?

[ProgressiveCynic]

Call me perverse, but anytime someone tells me not to argue a point I just can't resist. ]=D

SAML has been widely adopted, just not in the use case you're imagining. For B2B scenarios it is actually taking off quite well, and the US federal government is standardizing on it.

Now, it hasn't caught on in the world of consumer focused web sites, which is understandable given the architecture - no consumer authenticates at an authority before accessing sites, so it only makes sense for co-ordination between business partners who are providing services to the same users right now. Until a commercial site becomes an identity authority accepted by most consumer sites this will continue to be true. LiveJournal could have attempted to become this authority using existing standards far more easily than tackling the creation of new protocols and implementation platforms at the same time they try to build the business structure. But like most of us, they appear eager to reinvent the wheel.

I find it interesting though that on the one hand every techy's complaint about Passport et al was the monopolistic, centralized model, with all the very appropriate concerns about putting your eggs in one basket - and then when a decentralized model comes along, people wonder why it only catches on in small pockets. What exactly did you think decentralized meant? If you truly want a global SSO mechanism then you are asking for an identity monopoly. If you want different identity providers, you are going to have to deal with trust issues from each provider to whichever resources you want to access. This is a business problem, not a techical one. The standards and technologies to implement whatever world we want to create are there, we just need to figure out what we are really asking for.

Re:Why Hasn't SAML Been Adopted?

[kevinbr]

Most of the Identity Vendors have implemented SAML as an option, allowing now open ability to interoperate across platforms. They did interoperability testing several years ago. I did try at one stage to convice ( via OMA activities ) Telcos to adopt SAML. It was part of a Portal Architecture delivered to a VERY large French Telco. They then ( via FTR and D ) decided to scale up and adopt Liberty. I would have been happy with SAML. But SAML now means that each operting company in this telco can have SSO and authentication for services across national and organizational boundaries. Before SAML was a homegrown SSO solution in Java.

Competition

[flsquirrel]

Doesn't multiple competing standards for single sign-on basically defeat the purpose of single sign-on since all the sites you visit will have all hop on the same bandwagon?

Re:Competition

[ProgressiveCynic]

Well, there's always the Sun-Microsoft joint proposal for a meta-protocol that allows the access platform to select between all of these SSO options. Of course, that just means everyone needs to support everything and results in far more complexity than simply agree to use the standards that already solved the problem nicely, but hey, nobody ever accused Sun or Microsoft of doing the reasonable thing.

Re:Competition

[Wesley+Felter]

A site could support multiple identity systems.

Re:Competition

[Nurgled]

There's nothing to stop the different services coming into agreement and working with each other. For example, it appears that TypeKey will eventually provide an OpenID identity server so that TypeKey accounts can be used on any OpenID site. That admittedly is cheating a little because Danga and TypeKey both belong to Six Apart, but since OpenID doesn't depend on one identity server, there's no technical reason why (for example) MSN Passport couldn't provide an OpenID identity server so that you could use your MSN Passport on any OpenID-supporting site.

It's harder for the other methods to share because they depend on a single ID server, but OpenID can bind them all together in theory.

any backend can work

[ydnar]

OpenID asserts a URL, and that the person using the browser has control in some way over that URL. How you are authenticated is up to your OpenID server's implementation.

It could be LiveJournal, TypeKey/TypePad, your corporate website using LDAP or AD, whatever.

A hypothetical example:

John Carmack forgets his password again, and wants to comment on a Slashdot article about rockets and Quake.

Assuming Slashdot has OpenID support, he can supply his URL: http://www.idsofwtare.com/~johnc/ and Id's OpenID server can assert that URL.

Slashdot can (if it chooses) do some autodiscovery and fetch a FOAF/vCard/hCard/whatever to fill out some user data so he's identified as "John Carmack" on the comment.

Wow.

[yitzhak]

I mean, I shouldn't be surprised, but I am. It seems liek 90% of the people commenting didn't RTFA, or didn't have their brains installed at the time. This isn't a secure banking system - it is, as one person pointed out, probably better described as OpenHandle. You sign in ONCE, and from that site, you tell it which other sites can authenticate from your identity site. Then, these sites know who you are. They don't get your password, or anything, they just get a temporary key to verify that you're you. Any site can fake it, that's not the point. The point is that you have participating sites where you would want to now have to sign in every time you want to comment. It helps prevent lock-in to blogs etc - imagine, for example, you sign in to slashdot, and then you can use the same handle without having to create accounts and sign in at other blogging services. THAT's the idea. It's not a trust net, or a passport-like system, it's just so that sites that want to play by the rules can provide people with a convenient way to identify themselves. That's ALL.

Why not just RTFA?

[Wesley+Felter]

This is explained on the Web page.

Re:Why not just RTFA?

[ProgressiveCynic]

Their arguments strike me as rather unconvincing. There is no reason that the existing SAML profiles could not be used in an AJAX application, and I'm very interested to hear how they are going to securely exchange identity tokens without using SSL or duplicating its functionality. These are their only two arguments against SAML. You are correct that I have not read further to understand the whole spec which may indeed answer these questions.

It's not

[Wesley+Felter]

It's not single-sign-on beccause you have to fill in your homesite at every different site you log in to. But it doesn't claim to be SSO, either; the submitter mangled the story as usual.

Gnoll?

As in "Gnomic Troll", maybe...

Re:Gnoll?

[RealProgrammer]

>Gnomic Troll?

Yeah, or GNU+Troll.

Re:Gnoll?

[sxtxixtxcxh]

... or: /dev/gnoll

Single Sign-on like Passport is a lame idea.

[MikeFM]

Why don't we just use a single password entered by the user (once per session or once per browser..depending how it's saved) to generate tokens unique to each site a user browses to. Pass those tokens to the site automaticlly as part of the http headers. No need to ever send any login data through a third-party. No need for any complexity on the part of the end-user or website designers. Just a small bit of extra code added to the browser and webserver (optionally). Firefox and Apache could do this easily enough.

Heck you could have the browser send these unique user and password tokens automaticlly whenever the website asks for http auth. Nothing would even need to change on the server side. Just a small change to the browser. The chances of two users both having the same username and password aren't that high unless they pick something really easy to guess anyway like a name and password they see in a movie.

Re:Single Sign-on like Passport is a lame idea.

[Wesley+Felter]

That sounds like Passwd Composer.

Re:Single Sign-on like Passport is a lame idea.

[MikeFM]

Pretty similar. Just needs to be built in so that it's transparent to users.

Six Apart owns LiveJournal

[mikemcg]

Just thought I'd add that as of Jan 2005, Six Apart owns Danga, which is the parent company of LiveJournal.

Digital Certificates

[infohord]

We have this already, it is called digital certificates. I get one digital certificate that identifies me and I use it on multiple sites. Now if more sites just supported authentication by digital certificate, a process supported on all web servers already then we would be done. Why do so few webmasters understand digital cerficates? Do we expect them to understand this any better?

Spoofing?

It looks like this system doesn't make an attempt to verify that the person attempting to sign on is actually the same person who was authenticated in the first place.

From the spec:

openid.is_identity -- The identity URL the client is asking the ID server to verify. The exact question is: "Is the user logged in to your site represented by this URL, and do they allow the trust_root (and therefore the return_to URL) to know that?"

So, Alice's identity is represented by a URL and the system doesn't verify that the URL submitter is actually Alice. All that is verified is that Alice is logged in and that she trusts the submitting site. So, what is to prevent Eve from making a request that verifies that Alice is logged in and then making a post that spoofs Alice? As long as Alice is logged in and Eve knows Alice's identifying URL, Eve can spoof Alice.

Unless I'm completely missing something, this (short) "spec" needs a little more work. Say what you will about PassPort, but at least it used PKI on the client to solve this little problem.

There is a better system...

[Timothy1965]

There was a recent paper at IPTPS on this problem last year.

I RTFA'd and OpenID relies on a single host as an authenticator, just like Passport. Sure, you can have many single host authenticators with OpenID (whereas there can only be one with Passport), but at the end of the day, your credentials are only as strong as the security of that one box. Remember all the problems that Microsoft had with authenticating and authorizing Hotmail users? Single hosts make inadequate authenticators. The CorSSO folks fix that problem using threshold cryptography - in CorSSO, an attacker has to compromise a group of different hosts all at the same time to usurp someone's identity, which can be made much harder than compromising a single host in OpenID.

Bad Idea - People are click-happy

[MooseGuy529]

From the sound of this, you log in to one site (your homesite) with your real username and password, and after that it uses digital signatures and a list of trusted sites to prove to that site that you are the owner of the URL.

I see several problems with this, one of them being specifically that it doesn't require a password everywhere you login. I know the point of single sign-on is to have one username and password for everything. However, think about your average user: when prompted with a dialog box asking "Would you like to trust this site?" or "Would you like to install our malicious software?", they have an uncanny habit of clicking "Yes" without thinking. I think this will become a problem as well--people authorizing any site just because it asks, and not realizing what it means in the end. Requiring password entry and making the requesting site very clear would make it much easier for users to know what they are doing.

Re:Bad Idea - People are click-happy

[Knight2K]

People click Yes without thinking, because thinking doesn't do any good. If they look at the certificate, it just has a long string of numbers and the name of a corporation they probably never heard of claiming that this is okay. How does the average user know what this information is and if it is even accurate? If the whole page is spoofed, why couldn't they spoof that too?

In addition, some sites, like yahoo, use a central server to authenticate you and then redirect to the resource you were requesting. So the browser asks you: "Do you trust login.yahoo.com"? And the user thinks: "What's this? I requested mail.yahoo.com. Is this a virus or adware or legitimate?".

Most people are hopping on to buy something from Amazon and E-Bay. They don't have the time or inclination or know-how to research every certificate they see on-line. So they trust pretty much everything because they can't get anything done if they don't.

If there's anything about Internet security that needs fixing, it's that.

Re:Bad Idea - People are click-happy

[Nurgled]

This is mitigated to a certain extent because a site can only ask the question "Is this MooseGuy529?". They can't ask "Who is logged in?". Therefore unless a site wants to target a particular user there is no tracking issue. In legitimate use, you enter the ID you wish to use into a little box and the site goes off and checks it. Unless you enter that ID, they have no idea what to check for.

URL? URN? URI? Email? Username? Login? Identity?

[MooseGuy529]

I don't like the idea of using URL's as an identification system. Sure, within the blogosphere, this is great since most people *are* identified by the URL's of their websites, but what about normal people? It's hard enough to explain the difference between an email address (username@host), a URL (host/resource), and a login (username and password), and it's worse that some sites use your email address to login and some use a username, but this is the worst. It means that URL's, which are supposed to represent a resource, can now be used as usernames. While it's a creative and practical solution, it will be really confusing to people. Jabber got it right with username@host usernames.

Only half a solution

[MooseGuy529]

It seems like this is only half a solution. All it does right now is allow responsible sites to ensure that you are the owner of a URL. It doesn't have any way (yet) to prove that you wrote a comment, or that you didn't. Basically this means it will be useless, because unless a site operator blatantly forges identities, they can change individual comments to say what they want and there's little that can be done to disprove them.

This requires an HTTP server, publickey doesn't

[MooseGuy529]

I see one major problem with this, related to the fact that it uses URL's: it requires an HTTP server. By requiring an HTTP server, it requires you to either run your own server, get a free account somewhere, or pay someone for one. Running your own is beyond the expertise of many users, and even with a nice program for it, dynamic IP's and stuff will get in the way. The problem with offering this as a free service is that there is little incentive for a site to offer the service alone. There are few chances to display ads, and users won't stay on your site. Lastly, people probably aren't willing to pay for such a service, since it's only a minor convenience. I see two outcomes: it becomes an ISP-based service, like NNTP, or it becomes integrated into other free portal things like Yahoo! or the Google Non-Portal.

Public key authentication is better because it requires less infrastructure... all it requires is a place to store public keys (easier than the requirements of OpenID because they're static data).

Another protocol, OSS needs a mechanism.

[Hurderos]

I do wish the authors success but OpenID is simply another protocol for asserting identity information. What is fundamentally missing, especially in OSS, is a mechanism for implementing identity. In truth implementing identity is something that is also missing in the plethora of commercial products which are seeking to provide solutions in this space.

Globus/GRID, Shibboleth, PubCookie, LID and a legion of others are already implementing mechanisms for making assertions about an identity. The fundamental problem with implementing any of these technologies are the back-end systems for implementing and protecting identity and a manageable system for tracking differential acesss (authorization) at a high level of granularity.

The Open-Source community is currently lacking any respectable effort in this arena. All the basic pieces are there with LDAP, Kerberos, SAML and a host of other technologies. What is required is a coherent framework which implements all these technologies in a manageable package of infra-structure. It will be where the real war for control of information delivery gets won or lost for OSS technologies over the remainder of the decade.

As I noted in the first paragraph what is fundamentally lacking across the spectrum, commercial or otherwise, is a fundamental definition of identity. Its interesting to see that a couple of other posters have noted this as well. Our Hurderos Project is trying to address that with an OSS solution in an attempt to turn the tide of everyone inventing their own solution.

Getting that type of basic infra-structure laid down is key to unlocking an entirely new generation of application and information delivery architectures. It is also fundamental to addressing the intrinsic problem with federated or distributed identity systems which is the very real and very thorny problem of target sites asserting authorization over remotely authenticated identities.

In the brave new world of highly distributed information delivery systems with a mobile consumption (client) base the only important thing is 'who you are and what do you have access rights to'. He who controls that will control everything.

There are other, simpler systems: LID, for example

[jernst]

LID -- Light-Weight Digital Identity -- is an entirely decentralized digital identity system that uses URLs as identifiers. Yes, you can host your own. It's so simple, the average Slashdot hacker can probably implement from scratch in an afternoon, and it supports SSO, VCard-based contact management, FOAF-based social networking, authenticated messaging and many other applications.

http://lid.netmesh.org/

Disclaimer: I'm one of the people who came up with it. I also talk about it and other systems on my blog at http://netmesh.info/jernst.

Re:URL? URN? URI? Email? Username? Login? Identity

[ydnar]

Which would you prefer to be?

http://thinkinginbinary.webhop.net/

or

MooseGuy529

The problem with user@host is that it resembles an email address. OpenID asserts a URL, not a user, which is an important distinction.

That URL does not have to be http. It could well be mailto: or data: or gopher: or whatever.

OpenPGP *is* my identity

[bwbadger]

I'd like to see an authentication system that used OpenPGP keys.

e.g. I go to the bank with my photo ID and my OpenPGP key fingerprint and say "this is my key".

When I want to autenticate with the bank, they use my public key (which they can get from a key server) to encrypt a secret and send it to me. I demonstrate I have the private key and know the pass phrase by decrypting the cypher and extracting the secret ... more hand-shake stuff and ...

... authenticated!

I don't need the bank to know my password, and I can have one password for everywhere that uses this OpenPGP based approach.

I can't imagine a Kerberos (or Kerberos-like) single sign-on mechanism would be a huge step (relatively speaking) from this point.

V-ID already does a simple version of this

[majestiq]

check out V-ID. They have an free to use single signon system running right now.

Working implementations already.

[stuntpope]

Also see SourceId and Shibboleth.

This system has issues

Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.

Yes.

This system intends to provide provable same identity across multiple websites. However, it has some drawbacks.

* This is billed as a single-sign-in approach. There are technically superior approaches to single-sign-in, such as the Password Manager in Firefox. The PM approach does not leak your "real" identity to everyone. While Firefox does not (I think) support centralized storage of PM data, it's certainly possible for it to do so or use a system like this. The real benefits of this are that you can prove that your identity in two places is the same thing in a standardized fashion, so that we know that ltorvalds on slashdot really is Linus Torvalds.

* No support for progressive release of information. I don't want to tell every website (let's use www.trollnet.org as an example) that I'm "Michael Hotwitz", because they don't need to know that. All they need to know is that I'm User 3452351, and I want to be able to sign in using my single password. No information is leaked this way (other than what a cookie would already give them, that I'm the same user that visited their site before). If, at some point in the future, I decide that I want that website to know that User 3452351 is also mhotwitz@slashdot.org, the much famed GNAA poster, so that I can revel in the appreciation of my troll buddies on www.trollnet.org, I can tell them so. A simple form of this would be identity merging, where I simply prove that my two identities are the same, and they become "merged". A slightly more sophisticated approach would be to allow proving that an identity on two particular sites is the same, without "merging" the two, so that site A knows that ID1 == ID2, and site B knows that ID2 == ID3, but neither necessarily knows that ID1 == ID3.

* The auto-fill-in web page approach recommended by the OpenID people is a bad idea. If I make a form that I can convince a user to submit, and stick the auto-filled-in field at the bottom of a web page, I can harvest unique, cross-all-websites identities for each user.

* This system relies on DNS for the Availability security property. While, with root cert caching, someone attacking DNS can't fake your ID, if someone else gets your domain because it expires, you lose your identity. I've seen domains come and go, but I still use the same GPG key. Also, this puts Verisign back in the driver's seat for controlling identity management, and frankly, I and most techies trust Verisign to Not Be Evil about as far as we can throw them.

The main advantage of this system is that it doesn't take any client-side support to roll out.

I'd rather see someone write an Identity Manager extension for Firefox and a plugin for IE, a program that uses GPG as a backend and can sign a few standardized messages, like "You can trust this other ID to also be me" and "I'm compromised". No identity leakage inherent to the system, can have IDs stored on a server if you want but you don't have to, Verisign isn't involved in the system, no availability attacks on IDs through DNS registration expiry or DNS spoofing services. You could play each new MMORPG with a persona that enjoys the reputation that you've accrued in the past -- as being a helpful person. People who abuse systems and are no fun to play with don't build up a reputation and are easy to identify.

I just can't figure out why people are so damn eager to tie ID and trust systems to DNS -- one of the places that there really are some solid objections to DNS. It's like people have DNS hardwired into their brain these days.

Re:Wanted: One problem. Already have solution.

We need new games that don't suck.

Take a look at the top-rated games on happypenguin.org recently? They still generally don't have the visual flair of a typical commercial product, but the games there have gotten pretty decent, without the incredibly steep learning curve that has generally associated the better open-source games in the past (like nethack). Try Battle for Wesnoth, for instance.

RealOpenID

[Doc+Ruby]

If this open, secure, distributed authentication scheme works, maybe it could be used to achieve the US RealID program's (stated) goals. I especially like the idea of allowing an authentication request only a boolean, rather than caching any associated info. Until such a system works, the US shouldn't create a monster that doesn't. Real world test iterations of OpenID might get us there.

Re:URL? URN? URI? Email? Username? Login? Identity

[Baricom]

That URL does not have to be http. It could well be mailto: or data: or gopher: or whatever.

Based on my (admittedly hazy) understanding, it has to be HTML over HTTP, because the web server that's identified has to include a special <link> tag in the web page that identifies the identity server that says who's authorized to "claim" that URL.

Sorry, out of points.

[Kadin2048]

Wish I had one though, because I'd mod this up.

I'll admit, some of the cryptographic and network theory discussed in the proceedings on the Cornell site, but it looks pretty solid. I'd be interested in how the OpenID people respond to the radically different design direction the Cornell group took (for good reasons, it seems) while essentially solving the same problem.

What I like about the Cornell system is that Goal #2, which would be right after "Provide a single sign-on abstraction", is "enable applications to tolerate failed and compromised authentication servers." The idea of compromised authentication servers doesn't seem to enter into the OpenID framework. Maybe I'm missing their solution somehow.

Re:URL? URN? URI? Email? Username? Login? Identity

[Nurgled]

End-users can be protected from knowing about all this by their service, though. LiveJournal users, for example, can log in as "user.livejournal.com". This doesn't look like a URL, but it can be transformed into one. This does get tricky for established mass-hosting blog sites because they don't have such pretty-looking URLs already. A Xanga user would have to sign in as xanga.com/username, for example. Supporting whatever.xanga.com would require a DNS wildcard record, and they (like LiveJournal, in fact) might already be using some of their existing usernames as real hosts within their domain.

Hopefully at some point sites which only provide identities and no other service will spring up, and they'll provide URLs like that which don't actually go to anything except a blank HTML page with the right ID server link in it. I guess eventually anonymizing sites will appear which will allow anything.theirdomain.com and just approve it without question, though of course those sites will no doubt get banned from most sites pretty quickly because they'll be used for spam.

Re:URL? URN? URI? Email? Username? Login? Identity

[ydnar]

Not necessarily. The OpenID client can look at your URL and fetch the link tag just as easily:

mailto:foo@bar.com -> http://bar.com/ -> http://bar.com/openid/server

Or if you like, leave off the mailto: entirely, like you can with the http:/// and have the client assume user@host means "go fetch the OpenID server from the top level host."

Re:Wanted: One problem. Already have solution.

[Nurgled]

The problem OpenID attempts to solve is "Is this person who claims to have been here a week ago really the same person?", coupled with "Is pla who posted on slashdot the same person as pla who posted on my weblog?". That is it, really. There is no profile information shared explicitly by this system, though from reading the mailing list they seem to expect that people will invent mechanisms for doing this to complement OpenID. Sites which implement OpenID but only allow their own identities to log in would have missed the point completely. Even if no-one else uses it, LiveJournal, many of the LiveJournal clone sites, TypePad and MovableType will all support it, and that accounts for a large chunk of the weblog and journal users online. Any other support is a bonus, really.

As for anonymity, all that's needed for that is an ID server which will approve any arbitrary user within its domain. A bit like Mailinator but for identities rather than email. It's likely that such a site would quickly get banned from everywhere due to the spam it would be used for, but that's no different than certain sites disallowing anonymous users.

Regarding coding in spare time, I code stuff that's interesting or useful to me. I probably wouldn't have written a distributed identity system, but I can see why the Danga folks did it: they scratched their own itch in a manner which simultanously scratched a few other people's itches. I have no use for any of the things you claim "we" need. Different people need or desire different things.

SAML Web of Trust?

[Vagary]

Cool, thanks for the briefing.

Ideally, wouldn't the identity authorities establish a web of trust amongst themselves, allowing a user to be authenticated by any one of them and then access any authentication consumer? Hell, I think most people would be more willing to grant Passport a monopoly if they were using open standards that would prevent lock-in.

So the real problem is that no one has figured out a business model for being an id authority other than to extend a monopoly?