LiveJournal Founder Launches OpenID System

geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.

Re:Not really that good, IMHO.

step 11. profit!

Re:Not really that good, IMHO.

[outZider]

Just as an aside, the XML-RPC vulnerability was based on items in the PHP community, and not in the module used within Perl. Danga and the LiveJournal team have been working with XML-RPC for quite some time, and they tend to be nazis about the security of their implementation.

Not that bad, either

[jfengel]

The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website

I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.

Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)

No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.

Re:Not that bad, either

[spectral]

There aren't central servers. This is DECENTRALIZED. Run your own OpenID server. Now you control EVERYTHING about validating that you are you. This does NOTHING else. There is no profile exchange, there is no password exchange. All this does is says that someone using OpenID spectral@slashdot.org (if slashdot ran their own, for example) on Livejournal is the same person that is claiming to be spectral@slashdot.org on slashdot, and spectral@slashdot.org on Deadjournal, and spectral@slashdot.org on any Moveable Type journal, and spectral@slashdot.org on (whatever implements this system).

This is a means of identification. You log in to a site. The site passes off a redirect url, of sorts, to the OpenID server (the part after the @), and asks THEM to verify who you are. The OpenID server does this, and either goes to the URL it was directed to, and now you're 'identified' to the original site, or says no .. and you don't go any further.

So, what if they spoofed the OpenID server, made it always say yes? Then now you have anyone @that_openid_server can ident as anyone else. This doesn't compromise me@some_other_server. I'll probably end up running my own OpenID server, and having my account on it. Or maybe get my friend to, and we'll all share. Small and localized, one password to remember, and works anywhere (home, work, laptop, desktop, friend's house..) and the authentication goes away when I close the browser window.

What, exactly, is wrong with this ... except now I can Identify myself to websites without needing to worry about whether or not they're going to steal my password and try it on every website that's popular?

Can hardly wait...

[martian67]

I can hardly wait if/when systems like this become popular, to be forced to register an id like Martian5576567567 due to every other numerical possibillity haven been already taken, due to alot of sites using such a system, and people forgetting about passwords or old accounts and re-registering multiple times.

Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...

Re:Can hardly wait...

[LFS.Morpheus]

I'm not addressing your security issue.. I think OpenID is not designed for secure applications (banks, credit cards, etc) - its more for bloggers, chatters, forums, etc etc.

Anyone can run an identity server.. so for instance each ISP could have one, or you could choose to use Google's, or Yahoo's, or Livejournal's.. or even mine, if I choose to run one for my website. In an ideal world, AOL could run one and integrate it with their AIM logins. Microsoft could run one and then Passports would work too.

Having a decentralized system allows you to avoid problems like this - it's kind of like jabber in my mind. I don't know *too* much about OpenID yet but this is the general idea.

Re:Not really that good, IMHO.

[diegocgteleline.es]

2 I think the motivation for this service is skewed. The only motivation I can detect for Open Id is to save people FIVE SECONDS by logging into a new forum, website... etc. People already have their own methods to achieve this kind of simplicity in their lives.

3 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.

One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.

Re:Not really that good, IMHO.

[Azarael]

For 2, it does get to be a pain when you are signed up to 20 or 30+ forums. Example? these days, a lot of software support and bug reporting facilities are on a forum. It's a bit of waste of time if you have to sign up just to make a couple posts.

I'm not saying that we need more services like the one in the article, but it would be nice to have some sort of simple way to fix this.

Self Obsessed ID system?

If it is like LiveJournal, I am sure lots of self obsessed people will want to use the ID system.

Re:Not really that good, IMHO.

[Xepo]

First of all, look at the reason this was created. There are hundreds of livejournal clones out there, and a lot of them run the livejournal software (deadjournal, blurty, etc.). I'm not going to create a new journal on each one of those sites just so I can view the friends-only posts of my friends on those sites, and especially not just so I can comment. This provides a way to link all of those sites together, and it does it openly, in a way that sites that don't use LJ's software can use.

Secondly, addressing your remember passwords comment, it's a complete waste of resources for the system for these users, who just may want to leave a comment, to force them to sign up for an account. Why not just let them provide a reference URL which represents them, and let that server verify that the provided URL is the user's?

Many of your points were simply "This is complex", or "This requires relying on more systems", and conclude that it's bad. Firstly, I think 'rely' is the wrong word for this. You're using these other systems, yes, but if these other systems go down, it doesn't stop you from doing anything. It's similar, though not a perfect analogy, to saying that having more IRC servers in a given network is bad because you're relying on more servers.

Also, imagine the advantages this gives when designing around this system. Forums which are really only for one topic, such as an official forum for a specific piece of software, don't even need to store any user or password information (and therefore don't have any sensitive data). The forum can simply store the OpenID URL for the admins and allow anyone who can verify with that URL do all of the admin work.

It's the first step to providing a true roaming profile, and single sign-on for the web, and it's done in an open manner. I think it's a step in the right direction.

Re:Not really that good, IMHO.

[Gaewyn+L+Knight]

1. if it is a problem... they'll patch it
2. No... it's to save you remembering which login (hmm... was this nick? or email address?) and which password (These !@!#s don't allow periods?)
   
3. Although 'remember password' is nice... how many people truly trust that local database to be secure? Even if you are not paranoid... how many people hate it when they are on another machine that doesn't have it remembered and they can't remember even more passwords because they don't usually use them
   
4. Yes you should always be careful with 3rd parties in trust relationships... however all this service does is lets another site say 'With those credentials I will vouch for them being this person on my site'. It doesn't prove they are Joe with bank account number xxxxxxx... it proves they are someluser@livejournal.com
   
5. Granted... outside systems always leave you open to failures beyond your control. But... it is a ton easier to say 'livejournal users arn't working because livejournal is broken' than saying 'ohh shoot.. we're sorry our database died and we lost all the users'. Both situations will RARELY happen... and if a user can't login cause their verifier sucks they will get a new one.
   
6. The phishing only works if you have their password... which... why would you phish then?
   
7. Nothing comes for free... but I think most users would take 3-5 seconds of lag on first login to save the setup/remember torture
   
8. This system is designed to let you prove you are the user of another system... and it does it securely... this isn't something to use to login to your bank account with... yet... :}
   
9. That infers you are within one CMS...
   
10. There is no #10 ;}
    

What this is actually good for

[ShatteredDream]

Many blogs require you to register in order to be able to comment so that the person who runs them can control trollish behavior. This sort of system is good for letting people avoid having to register to be able to post on dozens of blogs.

Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.

As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."

Re:Not really that good, IMHO.

[Shakrai]

One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.

On the surface you might think that this thing would fix those problems but I highly doubt that it will change anything.

Think about it: If the New York Times wouldn't adopt Microsoft's Passport solution do you really think that they are going to adopt this solution by a (in their eyes) virtual nobody? If something with the backing of the largest software company in the World couldn't take off then I don't hold out much hope for this except perhaps for some blogs here and there -- but that hardly solves the NYT problem.

Re:Not really that good, IMHO.

[psyclone]

[OpenID] hardly solves the NYT problem

Well, assuming this OpenID thing is really great and wonderful and doesn't make the baby jesus cry, then perhaps a lot of small sites will use it. And if a lot of small sites are using it, it might trickle up to a decent amount of medium sites, which might get noticed by a few large sites.

No one liked Passport so that's why it didn't get used. This is a different idea which has a slim, but possible, chance of success.. even on large sites.

Re:The point?

[jfengel]

Captcha solves a different problem. Captcha proves that you're a human (more or less). OpenID proves that you are you. That doesn't prove that you're a human; it just proves that you know a password. But since you're the only one who knows that password, you're uniquely you and you don't have to create a separate account on each system you visit.

So it's a convenience for users, not to prevent spammers. This does have spam implications: you can blacklist/whitelist ID servers and you don't have to give your email to every site you visit, but it's not really about preventing spam. It's about simplifying the mass of passwords and accounts you have.

Self-Identification

[Downes]

A few days before the LiveJournal system came out I released something very similar (this is not sour grapes; they have very generously acknowledged my work) called mIDm. You can view it here: http://www.downes.ca/idme.htm

I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.

This has two major aspects:

First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.

It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.

Let me repeat that, in case you didn't get it: anywhere on the web.

The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.

I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.

Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.

Let me repeat that: you can build your own.

Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.

One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.

Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.

Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.

Why?

- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.

- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).

- Because it will work.

- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.