LiveJournal Founder Launches OpenID System

geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.

Re:Not really that good, IMHO.

[DJayC]

Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.

Not really.. if you aren't remembering passwords, you're pretty much out of luck when you go to another terminal, or forget to backup your firefox directory and lose your data.

Maybe this type of system isn't for you, but I can definitely see some use for it.

Also, just because something is complicated doesn't mean it'll eventually get exploited. Things can be complex, yet well thought out and secure.

A dupe with a note saying it's a dupe

[m50d]

is still a dupe, especially when the note wasn't part of the actual submission

Not that bad, either

[jfengel]

The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website

I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.

Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)

No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.

Re:Not that bad, either

[jfengel]

Put all your eggs in one basket, then make sure it's a really, really good basket.

Re:Not that bad, either

[spectral]

There aren't central servers. This is DECENTRALIZED. Run your own OpenID server. Now you control EVERYTHING about validating that you are you. This does NOTHING else. There is no profile exchange, there is no password exchange. All this does is says that someone using OpenID spectral@slashdot.org (if slashdot ran their own, for example) on Livejournal is the same person that is claiming to be spectral@slashdot.org on slashdot, and spectral@slashdot.org on Deadjournal, and spectral@slashdot.org on any Moveable Type journal, and spectral@slashdot.org on (whatever implements this system).

This is a means of identification. You log in to a site. The site passes off a redirect url, of sorts, to the OpenID server (the part after the @), and asks THEM to verify who you are. The OpenID server does this, and either goes to the URL it was directed to, and now you're 'identified' to the original site, or says no .. and you don't go any further.

So, what if they spoofed the OpenID server, made it always say yes? Then now you have anyone @that_openid_server can ident as anyone else. This doesn't compromise me@some_other_server. I'll probably end up running my own OpenID server, and having my account on it. Or maybe get my friend to, and we'll all share. Small and localized, one password to remember, and works anywhere (home, work, laptop, desktop, friend's house..) and the authentication goes away when I close the browser window.

What, exactly, is wrong with this ... except now I can Identify myself to websites without needing to worry about whether or not they're going to steal my password and try it on every website that's popular?

Can hardly wait...

[martian67]

I can hardly wait if/when systems like this become popular, to be forced to register an id like Martian5576567567 due to every other numerical possibillity haven been already taken, due to alot of sites using such a system, and people forgetting about passwords or old accounts and re-registering multiple times.

Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...

Re:Can hardly wait...

[LFS.Morpheus]

I'm not addressing your security issue.. I think OpenID is not designed for secure applications (banks, credit cards, etc) - its more for bloggers, chatters, forums, etc etc.

Anyone can run an identity server.. so for instance each ISP could have one, or you could choose to use Google's, or Yahoo's, or Livejournal's.. or even mine, if I choose to run one for my website. In an ideal world, AOL could run one and integrate it with their AIM logins. Microsoft could run one and then Passports would work too.

Having a decentralized system allows you to avoid problems like this - it's kind of like jabber in my mind. I don't know *too* much about OpenID yet but this is the general idea.

Re:Not really that good, IMHO.

[diegocgteleline.es]

2 I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.

3 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.

One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.

Re:Not really that good, IMHO.

[Azarael]

For 2, it does get to be a pain when you are signed up to 20 or 30+ forums. Example? these days, a lot of software support and bug reporting facilities are on a forum. It's a bit of waste of time if you have to sign up just to make a couple posts.

I'm not saying that we need more services like the one in the article, but it would be nice to have some sort of simple way to fix this.

A good Idea...

[MaxPowerDJ]

...but a questionable implementation. This is very utopic in nature (not having a centralized server storing everyone's data) but it doesn't feel feasible to just "trust" a decentralized architecture to hold/store my personal information without designing it from the ground up with security in mind.

Just my 2 cents...

Re:Not really that good, IMHO.

[tourettes]

For myself, i don't think it's the fact of having to spend "5 seconds" logging into different sites. I think it's more so the fact of the number of different passwords/usernames i have in use on different forums. For the most part, i try to use the same username/password on most forums, but sometimes my username is taken, or something like that, then i have to try and remember what the username is, etc. I like the idea of this, and hope to use it in the future.

Re:Insecure by design

And Centralized systems are inherently insecure because your single point of failure is your system. The whole thing can crumble if one mistake is made. You have to build in redundancy and round-robin DNS is simply not redundant for a very large scale.

There are many fun topologies out there like Decentralized Ring (ala Gnutella2; don't knock the design just because the inventor was controversial) which work around issues in simple systems such as Distributed or Centralized. Ultimately your application will decide what the best topology to use is. Authentication is debatable but i've always found it easier to deal with differing systems for different levels of trust in the authentication (for example, to get into your bank 3 levels of authentication would be more ideal than the username and password you use for your Blog, and neither system -needs- to have the same authentication system as the other).

Re:Not really that good, IMHO.

[BlogPope]

I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.

5 Seconds? Where did you get that benchmark?

I'm a CMS designer,

Ah, that explains it.

If I'm on a computer I trust, I might allow it to save my password. If I run accross a forum that requires a login, I'm more than likely not going to take the time to create a login, just so I can participate. Why? because I've never seen one that only takes 5 seconds. Most send emails, which add considerably more time and pain (I gave up using POP email when I changed my email for the 10th time (@home failed, to be exact).

Not that his solution is perfect and that all of you points are not valid. Just that its not such a bad plan at its core.

Re:Not really that good, IMHO.

[Gaewyn+L+Knight]

1. if it is a problem... they'll patch it
2. No... it's to save you remembering which login (hmm... was this nick? or email address?) and which password (These !@!#s don't allow periods?)
   
3. Although 'remember password' is nice... how many people truly trust that local database to be secure? Even if you are not paranoid... how many people hate it when they are on another machine that doesn't have it remembered and they can't remember even more passwords because they don't usually use them
   
4. Yes you should always be careful with 3rd parties in trust relationships... however all this service does is lets another site say 'With those credentials I will vouch for them being this person on my site'. It doesn't prove they are Joe with bank account number xxxxxxx... it proves they are someluser@livejournal.com
   
5. Granted... outside systems always leave you open to failures beyond your control. But... it is a ton easier to say 'livejournal users arn't working because livejournal is broken' than saying 'ohh shoot.. we're sorry our database died and we lost all the users'. Both situations will RARELY happen... and if a user can't login cause their verifier sucks they will get a new one.
   
6. The phishing only works if you have their password... which... why would you phish then?
   
7. Nothing comes for free... but I think most users would take 3-5 seconds of lag on first login to save the setup/remember torture
   
8. This system is designed to let you prove you are the user of another system... and it does it securely... this isn't something to use to login to your bank account with... yet... :}
   
9. That infers you are within one CMS...
   
10. There is no #10 ;}
    

What this is actually good for

[ShatteredDream]

Many blogs require you to register in order to be able to comment so that the person who runs them can control trollish behavior. This sort of system is good for letting people avoid having to register to be able to post on dozens of blogs.

Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.

As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."

It looks vulnerable to spoofing

[karlfr]

On the http://openid.net/ page, it suggests that untrusted websites might popup a login dialog for your own trusted server. That would open a huge hole for man-in-the-middle attacks based on the various browser "url hiding" vulnerabilities. The fact that that behavior is suggested as canonical seems unwise.

Easy Identification Across Web Sites

[geezusfreeek]

A big reason for me like this (and dislike it at the same time for security reasons) is that with a widely distributed system like this is will make it easier to keep track of who said what, even across multiple web sites. Each person would have the same name across many web sites, so those of us who are involved in multiple online communities can more easily keep track of people that share more than one common community with us. For example, I could identify Slashdot posts by people that go to the iDevGames forums like I do.

Re:Not really that good, IMHO.

[annodomini]

6. The phishing only works if you have their password... which... why would you phish then?

Um, no, that's not true. The way it works is that you go to one site, enter your ID, it redirects you to a page on your identity server asking if you want to allow the other site to verify your identity, and then it redirects you back to the original site. Now, if you weren't already logged in on your identity server, you would have to log in first, so it would redirect you to a login page on your identity server. What's to stop them from redirecting you to a page that looks exactly like your identity server login page, but steals your username and password? Of course, there's no real way to make any sort of distributed identity server work without running into this sort of problem (unless you require people to use certificates stored on their local computer, which doesn't work for the internet kiosk use case). This is the sort of issue that caused microsoft to require you to type Ctrl-Alt-Delete to get to your login screen; otherwise, people could just put up a login screen themselves and grab your login information. On the web, though, there's no real way to deal with this, since you don't have traps like Ctrl-Alt-Delete that are guaranteed to be caught by a trusted party.

Self-Identification

[Downes]

A few days before the LiveJournal system came out I released something very similar (this is not sour grapes; they have very generously acknowledged my work) called mIDm. You can view it here: http://www.downes.ca/idme.htm

I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.

This has two major aspects:

First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.

It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.

Let me repeat that, in case you didn't get it: anywhere on the web.

The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.

I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.

Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.

Let me repeat that: you can build your own.

Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.

One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.

Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.

Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.

Why?

- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.

- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).

- Because it will work.

- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.