Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Case for OpenID

Posted by Zonk on from the halt-and-identify-yourself dept.

An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."

16 of 229 comments (clear)

  1. No way! by Anonymous Coward · · Score: 4, Insightful
    Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?

    Urgh, no way! I do not want all my identities to be tied together through one system. My actions on one site should in no way, shape or form be able to be tied in with what I do on other sites. Compartmentalizing my online life is the best remaining way to remain a modicum of privacy and stave off easy identity theft.

    Any website switching to openID exclusively will lose my business. (Of course, if they offer it in addition to a standalone u/p, I'm fine with that, although I do fear that once it gets enough momentum, the standalone u/p will disappear after all.) :/

    1. Re:No way! by mmurphy000 · · Score: 4, Interesting

      There's been discussion of OpenID providers offering aliases, so you could have a number of distinct "IDs" you mix-and-match with, but they're all validated by an OpenID provider. I don't think the spec says one way or another regarding this; it would be a feature of whichever OpenID provider you used for your identity.

      --
      The Busy Coder's Guide to Android Development
    2. Re:No way! by Blakey+Rat · · Score: 4, Interesting

      Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about. If I have to register to post a comment on some blog, I don't really care if someone steals that registration or password because I'm not likely to ever visit that blog again. If I could use a single ID to avoid registering at different sites 4 days a week, I'm all for it.

      The second point is that nobody's holding a gun to your head and forcing you to use it. If you don't like it, just create a new password for each site anyway. It doesn't prevent that.

      (Sidenote: Stop requiring registration for moronic things! I don't want to give you any personal information to post in a damned blog!)

      (Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)

      --
      Comment of the year
    3. Re:No way! by Silverstrike · · Score: 4, Insightful
      That's not the point.

      As the GP said, you CAN make multiple identities. For example, make a "blog-posting" account, and use it to Authenticate to all the blogs in which you want to post. Use it to login to other "annoyance" login websites.

      Then make a seperate one for your bank, your credit cards, etc.

      The beauty of this system is that its a superclass of the current model -- it has all the capabilities of the established model, plus some more functionality.

    4. Re:No way! by Not_Wiggins · · Score: 3, Interesting

      Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about.

      Then try an approach that I've found incredibly useful... use generated site passwords along with address extensions!

      First, for passwords, you only need to remember *1* and have the following javascript (which runs client side) from this most excellent site:
      GenPass.

      Next, look into using address extensions (ala what are available via postfix) and define unique addresses per each site you visit (most that I visit have adopted the email address as the username).
      For those not familiar with address extensions, you get a base user id within your email system that you're allowed to dynamically apply an extension to and it'll still get delivered to your base box. So, if you're "sam@abc.com" with an extension, the address "sam+slashdot@abs.com" will still deliver to your base mailbox.

      Then it is trivial to figure out which site leaked your address for spam as well as start blocking a particular address (either by using procmail or a combination of postfix with an SMTP proxy such as smtpprox.

      And while we need to tech savvy of the world setting up the mailserver side of things for our less tech-interested friends (I've done this for friends and family and host mail for them), it simplifies by effectively making it easier to manage multiple identities instead of depending on a bastion one.

      --
      Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
  2. I've always liked the IDEA of OpenID by lidocaineus · · Score: 3, Insightful

    ...but there's no real easy server implementation on Linux (or any other OS) that doesn't require you to do a decent amount of interfacing with the libraries. In other words, if you have time, it works great (ie, your employer wants you to work on an OpenID implementation project). If you just want to host some IDs on your personal box, there's no easy drop-in server software, or even reference software; my non-coder friends can't even begin to use it. I mean even Jabber has jabberd that you can build on.

    Anyway I'm sure that'll change in the future, but it'd be nice to have now. Or maybe I'm completely blind and there's a reference server implementation hanging around somewhere?

  3. 5% weekly growth by Mr.+Underbridge · · Score: 5, Funny

    reportedly growing 5% every single week.

    Translation: last week the install base consisted of his algebra class. This week he installed it on his mom's computer. Next week he's going to grandma's house and he'll install it there too.

  4. Can't be too complicated by a_nonamiss · · Score: 3, Insightful

    It's all well and good that I can write my own implementation of Diffie-Hellman key exchange, but if my mother can't go to a site and quickly and easily create a login, it's not going to work. I'm not at all saying it's a bad idea. Technically, it's a wonderful idea, but it has to be made so simple that anyone can access it, otherwise people are going to continue to use stupid services list Microsoft Passport.

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
  5. OpenID is great in theory by pHatidic · · Score: 3, Interesting
    So has anyone else noticed it seems like there is nothing new happening in the Internet in the last couple months? Well actually there is interesting stuff happening, it's just that Reddit and Digg have been taken over by spammers so you'd never know it otherwise. The thing is the more eyeballs a certain website has the more temptation there is to cause mischief, so a website can never go above a certain quality threshold without an identity system to ban trouble makers. Both Reddit and Digg have hit this threshold, so it will be impossible to get better news without a system like this.

    The problem though is that OpenID is currently just a framework. There is no way to prevent people from making 100 accounts, which is still the problem. Once we have a way of making sure each person only has one account, even if we don't know who that person is and can't identify them in any way, then and only then will social software be able to break through this quality barrier that it is currently capped it. I wrote about one way of doing this here, and there are other ways. Hopefully within the next ten years we can have this problem solved, to enable the next generation of web apps that aren't even possible today.

    1. Re:OpenID is great in theory by Elyas · · Score: 3, Insightful

      Actually, that's really only true if you go about it by trying to "find" the bad users.

      If you want, instead, to look for good, legitimate users with regular useage patterns, the only thing you need is the data and a single sign-on distributed across the systems. You make it easy to get a bad reputation, and hard to get a good one, just like real life. Then voting systems can more heavily favour the consistently useful users, etc.

      Finding the bad guys is whackamole, and useless :)

  6. Re:No way! (OK, Setup several IDs) by G4from128k · · Score: 4, Informative

    Any website switching to openID exclusively will lose my business

    There's no need to abandon a place just because they use openID. Why not setup multiple IDs with different user names, passwords, and email addresses? (I assume that's possible under OpenID?).

    I agree that a single collection of IDs (all-eggs-one-basket) represents a dangerous single point of failure. But just because someone implements a new potentially better basket doesn't mean you have to put all your eggs in that basket or avoid using sites that use that type of basket.

    --
    Two wrongs don't make a right, but three lefts do.
  7. Re:so it will be OpenID to bind them by BoberFett · · Score: 3, Funny

    Multiple passwords? Are you saying I shouldn't use the same password at my bank that I use on bustybabes.com?

  8. Overly complicated by cortana · · Score: 5, Funny

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    OpenID seems rather complex. There are already decentralised systems for authenticating a user's identity. But, if it gains momentum I would be happy to use it. One thing I can't work out is how I can create an identity. I have my own domain name and web site; I don't want to rely on Livejournal or another third party to maintain the notion of my identity.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFFdYQlshl/216gEHgRAk00AJwLvCf xLrtlKGDHcrIp7jidODlrTQCgqCPx
    czXJO4lwp5Znr+A7sSr rPJA=
    =MeMH
    -----END PGP SIGNATURE-----

  9. Re:Complexity can be hidden, but there are costs. by semifamous · · Score: 3, Informative

    The username and password is not entered on that site. It's entered on your own personal site.

    I've got a Wordpress blog for which I found an OpenID plugin. I can go to Livejournal and give it my blog address. It then sends me to my site which asks me "Do you want to trust this site with your identity?" You can trust it once, trust it always, or not at all.

  10. Re:so it will be OpenID to bind them by semifamous · · Score: 4, Informative

    So then change your password daily.

    Or, you know, since it's OpenID and you have complete control over the server, have it set up in such a way that only your IP address can see the password in plain text when you want to log in.

    Here's how it works:
    You go to a site that uses OpenID. You enter the address of your site to authenticate. You are then redirected to your own website to authenticate (unless you're already logged in.) At this point, the server you set up should ask you if you really want to trust this other site with your identity. You can trust it once and post your new comment, or trust it always if you plan on posting frequently and have that info saved on your server somewhere. Or you can change your mind and not trust it at all.

    If you want to implement a password system that nobody can ever figure out, then have it automatically generated and maybe sent to you via email every day in some encrypted format that only you can figure out.

  11. General Reply by Jerf · · Score: 3, Informative

    This is a generalized reply to a number of comments that are either reflexively nay-saying the entire idea or are not understanding what this really means.

    The intent of OpenID (as I read it) is simply to provide an identity. An identity is just a name that at least one person has permission to use, and no more. Multiple people may be able to use the identity. Perhaps some aren't "authorized" (a vague, undefined term in this case), and obtained the credentials by hacking. Maybe one person has a thousand OpenIDs. It really doesn't nail you down, break your anonymity any more than posting with a Slashdot account that has no URL, email, or distinguishing username characteristic, or give the One World Government an ID to tattoo into your arm.

    The reason this is useful is that it gives further layering something to talk about. I can't tell my blog system "John Milquetoast Xavier is allowed to post on the front page", because the blog system can't understand "people". It needs "identities". But I can say "this OpenID is allowed to post".

    And all the OpenID system will tell me is that some person has authenticated with that ID. I can further restrict their activities; I can still require a CAPTCHA, I can require a paid account, I can do all kinds of things. There's no law that says I have to let everyone with an OpenID have full permissions on my site. (When I say that, it's obvious, but based on the comments clearly some people have this idea in the back of their head.)

    I can also go the other way; if your OpenID is from a site that I trust to verify you are a real human for some reason, I might allow OpenIDs from that site more permissions than one from the random internet. If my company sets up an OpenID server that we control and allow only our employees on, I might be able to trust OpenIDs from that server more than random strangers. (Assuming good security for the sake of argument.)

    You could set up your own OpenID server to do whatever. I'm sure that if this takes off, there will be OpenID servers that people choose to leave wide open to allow anonymous OpenIDs to be created by anybody. Maybe it'll simply say "Yes, that person exists" to any query with any password, if the API allows it. Using one of those won't tie you to anything.

    What you are worried about shouldn't be "identities", you are worried about "identities that can be tied to you". The generic OpenID specification can not provide that, since in the general case the OpenID server could be anything, including a compromised box, and you therefore can not trust it a priori. All it can do is provide a label. Excessive trust in an identity system is the real problem, not an identity system.

    I've been creating a weblog for myself lately that includes comment posting, and while I don't think I'm quite ready to jump to OpenID, it's actually exactly what I'm looking for. My spam-control solution will be to moderate every comment posted, but once an identity proves its bona fides, I'll whitelist it. All I want is an identity. I don't really care if I can map it back to a person, I don't care if 10 people are using it, I just want an entity that I can deal with in my database and grant it permissions to above and beyond what an anonymous user gets. OpenID would solve that problem nicely, because I have no intention of farming out to OpenID the question of how much I trust the identity, merely the existence of an identity.