Slashdot Mirror
LiveJournal Founder Launches OpenID System
geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.
step 11. profit!
Just as an aside, the XML-RPC vulnerability was based on items in the PHP community, and not in the module used within Perl. Danga and the LiveJournal team have been working with XML-RPC for quite some time, and they tend to be nazis about the security of their implementation.
- oZ
// i am here.
Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
Not really.. if you aren't remembering passwords, you're pretty much out of luck when you go to another terminal, or forget to backup your firefox directory and lose your data.
Maybe this type of system isn't for you, but I can definitely see some use for it.
Also, just because something is complicated doesn't mean it'll eventually get exploited. Things can be complex, yet well thought out and secure.
No, this is not obligatory. You chose to continue the trend...
*sigh* oh slashdot...
is still a dupe, especially when the note wasn't part of the actual submission
I am trolling
Universal hardware tokens. Please.
The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website
I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.
Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)
No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.
It's not necessarily about the passwords; would you want someone over on k5 or livejournal posting about their double life with a mistress and a secret cave where they crossdress and watch old Three's Company episodes using your username? "h@@@@@y, I'm mfh and I was jsut wondrin how 1337 i have 2b to g4t ino yor haxxxxxx1ng growp? -- mfh"
It would be easier to identify someone (and harder to spoof someone) if their ID information carried across multiple sites.
I can hardly wait if/when systems like this become popular, to be forced to register an id like Martian5576567567 due to every other numerical possibillity haven been already taken, due to alot of sites using such a system, and people forgetting about passwords or old accounts and re-registering multiple times.
Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...
and his comments about spam and trust lead one to believe that these are area's SixApart's service could fill.
2 I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.
3 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.
What do I win?
Being modded down?
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
For 2, it does get to be a pain when you are signed up to 20 or 30+ forums. Example? these days, a lot of software support and bug reporting facilities are on a forum. It's a bit of waste of time if you have to sign up just to make a couple posts.
I'm not saying that we need more services like the one in the article, but it would be nice to have some sort of simple way to fix this.
...but a questionable implementation. This is very utopic in nature (not having a centralized server storing everyone's data) but it doesn't feel feasible to just "trust" a decentralized architecture to hold/store my personal information without designing it from the ground up with security in mind.
Just my 2 cents...
--MaxPowerDJ
For myself, i don't think it's the fact of having to spend "5 seconds" logging into different sites. I think it's more so the fact of the number of different passwords/usernames i have in use on different forums. For the most part, i try to use the same username/password on most forums, but sometimes my username is taken, or something like that, then i have to try and remember what the username is, etc. I like the idea of this, and hope to use it in the future.
tourettes
If it is like LiveJournal, I am sure lots of self obsessed people will want to use the ID system.
It seems to me that "Hey, you can actually go out and download X" is news, even when "Hey, I've got an idea for X" was already news.
And Centralized systems are inherently insecure because your single point of failure is your system. The whole thing can crumble if one mistake is made. You have to build in redundancy and round-robin DNS is simply not redundant for a very large scale.
There are many fun topologies out there like Decentralized Ring (ala Gnutella2; don't knock the design just because the inventor was controversial) which work around issues in simple systems such as Distributed or Centralized. Ultimately your application will decide what the best topology to use is. Authentication is debatable but i've always found it easier to deal with differing systems for different levels of trust in the authentication (for example, to get into your bank 3 levels of authentication would be more ideal than the username and password you use for your Blog, and neither system -needs- to have the same authentication system as the other).
I'm guessing he might be, as he is a SixApart employee since they bought Danga (LiveJournal).
5 Seconds? Where did you get that benchmark?
I'm a CMS designer,
Ah, that explains it.
If I'm on a computer I trust, I might allow it to save my password. If I run accross a forum that requires a login, I'm more than likely not going to take the time to create a login, just so I can participate. Why? because I've never seen one that only takes 5 seconds. Most send emails, which add considerably more time and pain (I gave up using POP email when I changed my email for the 10th time (@home failed, to be exact).
Not that his solution is perfect and that all of you points are not valid. Just that its not such a bad plan at its core.
My other car is a Popemobile
Of course, when I find/steal your wallet, with the tattered but legible cheat-sheet with all your IDs and passwords written down, 'cause you can't keep all fifty of them in your head, I'll bankrupt you in 24 hours.
Generally, bash is superior to python in those environments where python is not installed.
Sites that let you enter your name/URL/email/etc and show it without verifying you're you are lame.
On the other:
Somebody could run their own identity server that says they're http://spammer.example.com/000001/ all the way to http://spammer.example.com/999999/ and that's not a goal of this system to prevent.
If anyone can run their own identity server, then why use this rather than a (probably more user-friendly) Captcha system?
First of all, look at the reason this was created. There are hundreds of livejournal clones out there, and a lot of them run the livejournal software (deadjournal, blurty, etc.). I'm not going to create a new journal on each one of those sites just so I can view the friends-only posts of my friends on those sites, and especially not just so I can comment. This provides a way to link all of those sites together, and it does it openly, in a way that sites that don't use LJ's software can use.
Secondly, addressing your remember passwords comment, it's a complete waste of resources for the system for these users, who just may want to leave a comment, to force them to sign up for an account. Why not just let them provide a reference URL which represents them, and let that server verify that the provided URL is the user's?
Many of your points were simply "This is complex", or "This requires relying on more systems", and conclude that it's bad. Firstly, I think 'rely' is the wrong word for this. You're using these other systems, yes, but if these other systems go down, it doesn't stop you from doing anything. It's similar, though not a perfect analogy, to saying that having more IRC servers in a given network is bad because you're relying on more servers.
Also, imagine the advantages this gives when designing around this system. Forums which are really only for one topic, such as an official forum for a specific piece of software, don't even need to store any user or password information (and therefore don't have any sensitive data). The forum can simply store the OpenID URL for the admins and allow anyone who can verify with that URL do all of the admin work.
It's the first step to providing a true roaming profile, and single sign-on for the web, and it's done in an open manner. I think it's a step in the right direction.
I am in total agreement with you, but such a system would be a frequent target for identity theft attacks. Therefore such a system should have multiple biometric security measures, including fingerprints, DNA, retnal scans, and voice samples.
Such a system would be the foundation of a new set of services as well. For example, if all the citizens of the world would wear a GPS transmitting necklace or under-the-skin implant no one would ever be wrongly accused of a crime or be accidentally lost in the wilderness. With bio-scanning technology the government could ensure that you're vital signs were normal and if they became erratic they could send aid.
Only with a wonderful benevolent government like the United Nations can we ever begin to see the wonders of these technologies and rid ourselves of all the risks of the dangerous ideas of freedom and privacy.
Something like this is simply DOA. Few content providers will take advantage of this because they have their own in house and/or have never heard of this guy or his company. If say, Yahoo was to do it, it'd take off like wildfire. But Yahoo's a perfect example... their one id system is and has been in place all throughout their growing universe of web content. As is, does the creator really think that people will be clamoring for one for a blogging site? c'mon... blogging is still quite the ego-centric niche.
agreed. and another important factor is, this eliminates the need to register a new account with every blog system out there.. instead you just use the same credentials.
Therein lies the real benefit. It essentially means that you are automatically a member of a whole community of forums, or at least trusted enough to leave comments.
But I would imagine you'd still need a new unique account to take full advantage of most sites. You can't have a /. blog for "The guy from xyz.com"
useless sig advice - Read Nabokov.
1. Not relevant. It is _not_ complicated. There will be libraries (that do not use eval()) that handle all of that "complicated" (http?) stuff. 2. Five seconds if you have an account. 3. Doesn't give you a single id. 4. Email? DNS? 5. ? 6. Conceded. This isn't targeted at banking applications though, still, it's something to watch for. 7. OK. 8. Once again, it's not foolproof, but it fills a niche. 9. CMS designers are often morons. Get a real job.
Telcos have alot of dark fibre in the States. Most people assume that's optical fibre...but it's actually moral fibre.
11. Profit!!!
(Sorry, had to!)
Zhrodague.net - I do projects and stuff too.
Many blogs require you to register in order to be able to comment so that the person who runs them can control trollish behavior. This sort of system is good for letting people avoid having to register to be able to post on dozens of blogs.
Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.
As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."
Click here or a puppy gets stomped!
And they will conveniently have a full and complete list of "nice people" for whatever re-education program the UN comes up with...
No thanks. I barely trust my government, and I vote for the suckers.
"Piter, too, is dead."
One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.
On the surface you might think that this thing would fix those problems but I highly doubt that it will change anything.
Think about it: If the New York Times wouldn't adopt Microsoft's Passport solution do you really think that they are going to adopt this solution by a (in their eyes) virtual nobody? If something with the backing of the largest software company in the World couldn't take off then I don't hold out much hope for this except perhaps for some blogs here and there -- but that hardly solves the NYT problem.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
About openID
Sometimes i wonder
Why we don't have it shut
Closed ID seems smarter
Burma shave
Seriously all this jazz about the OpenID systems left right and centre from so many sources , yet non of them work , perhaps a new vector is required
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Bahah!!! I didnt' vote for Bush! Either time! I only trust the governement when they are significantly different from corporations. Currently, the two are synonmous. Corporations are the primary evil and government is secondary unless coopted by corporations which they currently are. So you can't trust anyone. As far as individuals go, they're all corrupt. I don't trust you at all. And you shouldn't trust me. Only non-sentient frameworks are trustworthy. Machines are ultimately the most trustworthy as long as no humans are invovled. Learn about cubic time!! You are all singularity stupid!
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
1 I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.
There are many uses... who really wantes to have to register to 50 sites, just because you wish to post a comment or two, or ask a question at a site?
2 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
If you are really concious about security, you NEVER use these "I will remember your password..." becuase if someone gets physical access to your system, you are screwed.
3 Caution should be applied when linking with systems using any kind of third party medium. KISS.
How is linking a URL security-prone? You are NOT showing your password to anyone, at anytime.
4 This could be ripe for phishing.
Phishing what? Your ID?
5 This system provides a false sense of security. You will never know exactly who you are dealing with over the internet. Behavioural tests should be part of this system and they are lacking. Also, nobody is going to use a secure pipe at both ends to handle this kind of data, are they? Uh...
Once again, they DO NOT REQUIRE PASSWORDS So why use a secure pipe FOR A URL?
Personally, I belive that this is a great service, and will be welcomed by myself. The genius of the idea, and let me note one last time, the non-need of a password is a key feature of this idea.
On the http://openid.net/ page, it suggests that untrusted websites might popup a login dialog for your own trusted server. That would open a huge hole for man-in-the-middle attacks based on the various browser "url hiding" vulnerabilities. The fact that that behavior is suggested as canonical seems unwise.
So your first argument is that one of the components involved had a security problem? You'd better stop using the internet then, or maybe even your own CMS.
The end goal of this is much more grandiose. One thing that is both a strength and weakness of the Internet is anonymity. Blanket anonymity has no doubt been a plus for many people over the years, but it's now much more of a problem than it's worth. The Internet in general needs a way for the average user to present credentials to internet services that is automated, fast, and simple. This would be a building block for validation of web sites, e-mail messages, decentralized public key distribution, and a lot of other useful (and badly needed) services. Removal of blanket anonymity (but not elimination of all anonymity) will improve the signal to noise ratio of internet data by several orders of magnitude.
That's why that feature of firefox gets disabled by many corporations. It's very insecure. Other options for storing long, non memorable passwords include palm pilots, dedicated password PDAs, and such. They're clunky and sooner or later passwords will become too long to type in anyway. Being able to reference the place to *get* the user's password (along with their encryption settings, public key, etc) is actually more secure.
The Internet is by its nature much more interdependent than you know. It's impossible to do anything online without using at least a few dozen interlinked systems and standards. In general, keeping it simple is a good design rule but it tends to produce simple, monolithic system designs that are unsuited to Internet scale activities. For an example of a large scale distributed service that is as simple as possible on the Internet, check out the DNS design RFC.
This is an over-generalization. True that dependence on proprietary systems is generally bad because proprietary systems are usually not subject to the public evolutionary process applied to open standards, and therefore can have more problems. In general, simplicity triumphs over complexity when two ways of doing the same work are compared. Complexity wins out if a better (faster, easier) way of doing the work happens to be more complex.
I'm presuming you mean people could send e-mails saying "go to this URL". They can do that now. This would actually help with Phishing deterrence if users learned to only trust "verified" e-mail sender identities.
A big reason for me like this (and dislike it at the same time for security reasons) is that with a widely distributed system like this is will make it easier to keep track of who said what, even across multiple web sites. Each person would have the same name across many web sites, so those of us who are involved in multiple online communities can more easily keep track of people that share more than one common community with us. For example, I could identify Slashdot posts by people that go to the iDevGames forums like I do.
No one liked Passport so that's why it didn't get used. This is a different idea which has a slim, but possible, chance of success.. even on large sites.
Forgive me if I'm being naive, but couldn't we have more or less open posting if whatever bulletin board system required a PGP encrypted post, and checked it against a central authority, or even several authorities?
Computers are useless. They can only give you answers.
-- Pablo Picasso
Christ on a cracker, I know this is Slashdot, but could you at the very least read the summary?
Actually, as near as I can tell it doesn't "prove" anything. Anyone who learns or knows the URL can pretend to be me on this or any other site. Especially if you're dumb enough to use the subdomain format shown. (e.g. brad.livejournal.com)
Without a private portion (password) it fails at authentication of identity, and devolves to just being "easy"...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
There seems to be quite a proliferation of these services, eg. NoCatAuth, which is used in several projects.
Oh well, what the hell...
Being modded down?
You know him well.
Did it ever occur to you, and those like you, that blogs and livejournals have given several hundred thousand Americans (just Americans alone) a new stake in online freedom of speech? The EFF now has a potential base of support from hundreds of thousands of bloggers who don't want the FCC and FEC telling them what they can and cannot say online. That means that online speech is now rapidly becoming a popular issue rather than a "geek issue."
And you want to know what ruins the net even more? Trolls. It doesn't matter where they are rearing their ugly heads, trolls do real damage to any discourse online. If a troll were to talk the way that most of them do in a bar, they'd probably be murdered by having a glass bottle smashed over their head and then get stabbed with the jagged edges. Yet there are tons of trolls out there, and you worry about someone writing a narcistic blog or LJ about their life for their friends? I've only seen a few of that type care if anyone outside their circle of friends and family reads their posts.
And you know what? What makes you think that your comments on slashdot are any different, in principle, from a blog post? How are tons of comments in this forum about natalie portman petrified, and all of the other trollish bullshit not destroying the net just as much? No my friend, the net is just beginning to look more and more like the "offline world."
Click here or a puppy gets stomped!
This is a different idea which has a slim, but possible, chance of success.. even on large sites.
I'll grant slim and possible chance of success. I would certainly welcome it. The pessimist in me thinks it will be a long time before I can forgot about all the fake login information I have created for all those websites.
What I would like to see is a centralized logon system that would contain all of your information (userid/password/real name/address/telephone/etc/etc). Upon activating this logon for a new website you could choose which information to reveal to them. Some websites you might trust enough to give your postal address. Others you probably wouldn't even want to give them your primary e-mail address let alone postal. You could likewise choose whether or not you want to disclose your birthday/ssn/favorite color or what have you.
The big problem with that dream is I would never trust any for-profit company with that amount of information on me. Especially when you think that the only companies with enough name recognition in the industry to pull it off would probably be Verisign (slime) and Microsoft ($). Hardly a great choice now is it?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Face it, how do you feel when some links in slashdot to a "register for free!" kind of link?
Actually, it used to bother the hell out of me.. but now, it BugsMeNot..
DJ kRYPT's Free MP3s!
You just lack creativity.
Hey!! Don't throw your garbage down here!
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
2. It takes a little longer than just five seconds to register for a new service. First you have to spend at least five seconds filling out a form and squinting to read the CAPTCHA. Then you have to wait a few minutes for the email to finally arrive and then confirm it. Of course, I'm only talking about the majority of services here. Clearly there are one or two (total) services in the world which actually take five seconds to sign up for.
Furthermore, that's not the only reason they did it. Suppose John Smith registers on 5,000 web sites. What says that JohnSmith at Slashdot is the same john_smith at LiveJournal? OpenID solves that part of the problem.
3. Last I checked, Firefox's "remember password" feature didn't help my home browser remember passwords entered at work. Furthermore, this feature doesn't magically register new accounts either.
4. I agree, and not having to register on 5,000 web sites is minimalism for most people.
6. If you'd bothered to read their documentation, they actually admit that rogue sites can do whatever they want, including simply not handling the OpenID information at all. What OpenID does is makes sure that sites which _do_ play by the rules have a consistent view of identity.
7. I'm sure most users would love to have to manage a cron job just to do something that web sites can do for them.
9. Let's see how.
Karma: It's all a bunch of tree-huggin' hippy crap!
Providing you actually have a URL, this may be slightly better than the existing typekey technology. However, only 1 in 14 internet users has their own blog or website. The more options the better I suppose, but this is really an evolutionary step rather than a revolutionary one.
I am treading out in unknown terriroty here, but is it not possible to use some authentication mechanism on a central server, and verify it, u know like Kerberos/Passport/alternative? Or is open-id trying to do exactly that?
You're right! In his pages and pages of specs, he totally missed the attack of "just typing someone else's URL!" I wonder why he never thought of that!
Thank you for your thoughtful analysis.
That is precisely what OpenID isn't. They mentioned that there's no profile exchange.. OpenID just makes sure that shakrai@slashdot.org is that person. Doesn't say anything ABOUT that person.
.. OpenID is not meant for this.
They wanted ot keep the protocol simple and easy. Another layer can be added on top of it, later on, for profile exchange.. but they specifically avoided doing it in this version.
The problem with profile exchange is, it's hard to maintain. Once you give them information, they can keep it. If you only give them an OpenID, that's all they know about you, unless you give them more. Which most sites will probably ask for anyway. I'm sure the NYTimes wants you to login for demographics, not because they want to verify that you are who you say you are before you read a story. They have no way of knowing anything about shakrai@slashdot.org, besides what you visit. But if you make an account there, they have your name, address, age, gender, etc. AND what you visit at their site
What makes me sure that my identity server is mine? I check the URL. If it doesn't say @spectralsdomain.com , then I know it's fake. If it's in bold green text, shows my own personal graphics, and says that, then I can be pretty damned sure it'll be my own.
So, what's the danger here? Idiots will log in to a site they don't need to be in, get their identity and openid password stolen, and then go running around logging in to all these sites and leaving comments as you.. where every single time they login, is logged by your identity server...
the first time I see a login for slutty_porn_chat.com using my ID, I'll know my password has been compromised, change it, and bam.. I'm secure again. Whereas if I need to signup for this evil site, and am stupid enough to give them a password I normally use (since I use the same everywhere), then they have my password to everything.
Keep the password the same on all sites you trust (if you're lazy, like me). keep the OpenID password different (if you're uber paranoid). Now you have two passwords to remember, but very little worries about anything. Right?
A few days before the LiveJournal system came out I released something very similar (this is not sour grapes; they have very generously acknowledged my work) called mIDm. You can view it here: http://www.downes.ca/idme.htm
I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.
This has two major aspects:
First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.
It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.
Let me repeat that, in case you didn't get it: anywhere on the web.
The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.
I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.
Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.
Let me repeat that: you can build your own.
Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.
One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.
Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.
Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.
Why?
- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.
- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).
- Because it will work.
- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.
this sounds like the stuff XDI.org do. with i-names and so on...
no sig for you
Passport failed because it required that everyone trust Microsoft.
(Yeah, right.)
This system doesn't require a central trusted entity.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Ok I'm sold! I already thought it was a good idea, but the best part is, if you are worried about the stability of an OpenID server [and want your personal URL] it is convenient even if you don't have the ability to run your own OpenID server! You can just DELEGATE! Enter your personal URL, but it will do the actual identification from whatever OpenID server you point it to [say livejournal]. That way, if LJ [or your chosen OpenID server] goes away, you simply change your delegation to point to another OpenID server [where you will need an account of course], but you will still have your own URL as your identity. You don't have to change it just because your OpenID server doesn't exist anymore. Very nice!
Nothing to see here
What if we took this idea a step further and added a form of authentication, namely, signing of messages?
Here's what I have in mind, please point out any flaws in my logic:
- I log into livejournal.com using my id, "hisham".
- I post a message at foo.com using my OpenID, hisham@livejournal.com.
- foo.com sets a cookie in my browser, and issues a request to livejournal.com, with the cookie and the message.
- livejournal.com receives the request, verifies the cookie (confirming that the request from foo.com was posted by a browser who's actually currently logged as hisham in livejournal).
- livejournal.com then signs the message and sends the signature back to foo.com.
- foo.com posts the message saying that hisham@livejournal.com posted it, with the signature in the end (or most likely, accessible through a link).
- If anybody wants to verify if the message is legit, they can copy-paste the message and the signature and check it in a verification form in livejournal.com.
The system is still fully decentralized (anyone can host their own "OpenAuth" servers) and you only need to trust one of the sites (the signer), not both as in OpenID (though "trust" in the sense of OpenID means just identification, not authentication -- and I'm fine with it since that's its purpose).Off the top of my head, the only two potential issues I see are:
- the signer server would see everything you posted anywhere -- but anyway, Google see all my emails... if this is a concern, host your own server;
- the load on the servers -- would this be a big problem? most sites could use lighter, less CPU-intensive cryptography... again, if this is a concern, host your own server with 1024-bit crypto.
What do you people think? Could something like this work??The filesystem is the package manager
Which is the problem. It doesn't need to be your URL.
My current comments stand, with a couple of exceptions. First, it appears that you have to "authorize" a site. Second, you have to be logged in.
Given those two conditions, it appears I could easily impersonate someone on a site they frequent if they have a session running AND if I know (from their sig, perhaps) their URL/domain.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
1. Say your home URL is www.slashdot.org/~shmlco. You log into slashdot.org, and slashdot gives you a cookie as it always does. This is how slashdot verifies you are logged in.
2. You go to randomblog.com. You want to post a comment as shmlco from slashdot. So you give randomblog.com your URL, www.slashdot.org/~shmlco.
3. randomblog.com establishes a shared secret with slashdot.org cryptograhically, if it has not done so already.
4. randomblog.com sends your browser to whatever authentication URL is specified in the link tag of your site, for example: <link rel="openid.server" href="http://www.slashdot.org/openid-validate.cgi
5. Your browser hits www.slashdot.org/openid-validate.cgi, which can validate that you are logged into www.slashdot.org (just like any slashdot page can), based on your cookies.
6. If you are logged in, slashdot.org signs a certificate saying so, using the shared secret as a key, and redirects you to someblog.com with the signed certificate as one of the parameters.
7. someblog.com decrypts the certificate, and therefore knows that your browser is signed into slashdot.org.
As you can see, your proposed attack could not work, because you don't have the victim's cookies in your browser, nor do you have the shared secret you would need to fabricate a certificate.
I mean really, don't you think that someone who took the time to write a detailed spec would think of obvious attacks like the one you propose?
Problems with OpenIDI put off reading the OpenID spec because I though it was probably flawed. Now I just feel applying my head to my desk.
OpenID is led by with this philosophy:
The above is taken from a discussion of vulnerabilities. The problem with this lowest common denominator approach is that it's horribly broken. OpenID is currently no better than just giving the URL of your blog.
The number one problem is the complete lack of integrity checking. Everything in OpenID seems to be perfectly happy to let their requests be modified in transit. I think the problem with this are pretty damn obvious: nothing can be trusted. Fortunately, fixing this is pretty simple: use TLS. In today's shared hosting environment, you probably want to require support for server name indication.
Another brilliant idea: transmit the key that you'll use for signing later in plaintext.
I believe "limited in some way" means "completely insecure." "Dumb mode" is not safe because there's no key associated with the server, so there's no way to ensure you're talking to the same one or that someone isn't tampering.
/>
I also don't see much point in using a symmetric key for speed and security when you're just encrypting a short string. It's so tiny that both improvements are similarly small.
Perhaps the biggest problem with OpenID is it's reliance on sending a user to another page to login. It's just too easy to spoof a page and fool most people. Even better, you can open a window using Javascript and hide the location bar. Even if you normally use TLS, most people probably won't notice if it's missing or the certificate is different. Also, most sites (including LiveJournal) include a completely insecure assurance that you're secure. For example, LiveJournal says "LiveJournal Secure Site "
A simpler and more secure alternativeThe only way to fix this is (gasp) get users to carry their own keys. If you stored your key in a bookmarklet or extension, you could sign something with it. This is completely feasible because Javascript cryptography implementation is done. You could submit your public key with the signed comment. If you wanted to associate yourself with a URL, all you need to do is link to a page with the public key. If the same public key can be used for the signature.. That's right, no special identity server is needed. The public key could be submitted directly or it can be linked to. It might be a pain to write out the entire URL to the key, so perhaps autodiscovery-from-HTML should be supported:
<link rel="openpgp.key" href="http://www.livejournal.com/pubkey.bml?user=a trustheotaku"
Note that no TLS is needed. The signature is secure in and of itself. If you want to support all the fanciness (e.g. revocation) of OpenPGP (spec), then you just need the
So one could almost say that it's like a passport that allows you to "log on" to lots of different sites...
One sollution would be the iButton
Harald
How does this prevent me from saying I'm, for example, the previous user that posted a comment? He has his server set to trust the site I am posting on, and I'm using his name, so shouldn't the server accept my comment, since it doesn't know who's posting? I know this is not supposed an authentication scheme, but an identification scheme where everyone can claim to be anyone else isn't that good, IMO.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
If I were implementing an identity server, in order to prevent phishing like this I would not have the identity server ask for a login during the middle step... (the way I read the spec, it's not meant to...)
Instead, I'd have the identity server return "not logged in", and make people log in to the identity server first, separately. This is for people like me, who log into slashdot first thing in the morning, then proceed to visit other sites during the day... I'm already logged in to slashdot, so it can validate my id without needing to give me a login box.
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
A new scheme for this is actually pointless, because it just reinvents an existing wheel and does so far less effectively than before.
That previously invented wheel is PGP keys.
They were created for a different purpose, but they already contain a string that can be used as a legible identifier (which commonly contains a URL or email address), and they are trivially checked, and they are vastly more proven and secure as a means of trusted identification, and they already operate through a distributed system of public keyservers, and there is already a huge web of trust built around them, and of course OpenPGP and GnuPG are already fully free and open systems.
So why reinvent a wheel, and badly? Use PGP keys for login recognition, and any security concerns just evaporate.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
We don't need single sign-on to fill in a few form fields for banking, ecommerce, or blogs. The risks-to-benefit ratio just never works out. Its a few fucking form fields for Christ's sake!
Says the person who couldn't even be bothered to sign up to Slashdot...
Hmm. it might do that, I'm not entirely sure. I've not actually used it, I just really like the concept. :)
Heh - yeah, me too... that was an oops on my part - that was supposed to be a reply to the post above yours...
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
Take a look at the typical LJ and you will see that it matches the sterotype given to it very well. LJ's are not the pinnacle of individual expression. Sorry. I'm sure there are a few "good" ones there, but they do not represent a majority that ShatteredDreams thinks he can count on to "save the net".
There's a lot of boring and rubbish journals; but I'm not convinced that the noise ratio is any worse than the trolls on Slashdot.
Futhermore, if you think that people sit around reading LJs at random, then you are *completely* missing the point. The idea is that you read and comment on the journals of people you know, like and/or find interesting. Who cares if there are a million rubbish journals out there if you don't have to read them?
Blogs in general are not very good sources of high quality information or discussion. I'll stick to my favorite professors, writers, and other authors over the vast majority of the blogs out there.
And what if one of your favourite writers was writing on an LJ?
Replace "blogs" with "websites", and what you say is still true: the vast majority are rubbish. So by your logic, websites in general are no good.
Ah, I see now, I must have missed that in the spec, thanks. :)
Send email from the afterlife! Write your e-will at Dead Man's Switch.