Gates Says Microsoft Will Support OpenID

An anonymous reader writes "In his RSA conference keynote today, Bill Gates announced that Microsoft will support the decentralized OpenID digital identity protocol, in addition to WS-* and CardSpace (transcribed notes, video). From its roots in LID, i-names, and Sxip, the first major deployment in LiveJournal, and now with support from Techorati, Magnolia, Symantec, a suspected mass-deployment by AOL, and a number of startups — using URLs as digital identities has caught hold."

Embrace,

[rrohbeck]

extend, ...
You know the rest.

Re:Embrace,

[mandelbr0t]

Of course they'll support it! OpenID Authentication Server for Windows 2000/XP/Vista (not available for home or professional versions) -- coming soon!

Unfortunately, OpenID will utterly fail in it's task: it will never be a trustworthy source of identification. It's only useful for things where MS Passport was previously useful: throw-away Hotmail accounts and that's about it.

A Real Security(TM) implementation that required absolute knowledge of a person's identity would have to be based on the Web-of-Trust model, much like you don't have a single piece of identification. You have a driver's license, a social insurance number, a credit card, a health care card, etc. No one piece of ID is sufficient, especially when applying for new pieces of identification. The analogue on the Internet is similar, though even finer-grained. Instead of a series of governmental organizations correlating each other's data on a particular identity, every single person in the world is able to verify every other person's identity. This is known as "Federated Identity".

Such a mechanism does not preclude the idea that a government could support a particular identity; in fact, they could also sign a person's public key. While webs of trust are more difficult to set up, there is no longer a single point of failure in the identification. Going back to OpenID, all I need to do is supply my own authentication server, and I have corroborated my own identification. Or, in a slightly less legitimate fashion, I could take over someone else's authentication server and steal all the identities from it. A Web of trust is much more difficult to steal; you need to crack the passphrase on my certificate (not impossible, but much harder and I can revoke the certificate if I suspect that the certificate has been compromised). Once the DMV, Health Authority and Credit Card companies have all signed my public key, it's much more believable that something signed with my public key is definitely signed by me.

Re:Embrace,

[skoaldipper]

"By utilizing the emerging OpenID Attribute Exchange specification (see specs), users are able to clearly control what pieces of information can be shared by their Identity Provider, such as their name, address, or phone number."

I wonder just how long before some spam king taps this central database.

Re:Embrace,

[Timesprout]

Actually not, they wanted this ages ago to make life easier for themselves because single signon has a lot of attraction for them, as for many others. Passport failed as did Liberty and as IBM's new effort shortly will. They all want it so badly differences will be set aside at this stage just to make it happen in any shape or form that does not massively disadvantage any of them.

Re:Embrace,

Eliminate?

This is Microsoft, after all.

Re:Embrace,

[autocracy]

You trust the OpenID site to supply and identity. By principal of it, whatever you get from a certain site is considered to be true. If the site is a spammer's site, the identity of spammer3@spam.example.com is still valid. Trust is placed in the site you're viewing. You trust Slashdot to have checked for that identity. If you trust the site you're reading from, the goal is accomplished.

Re:Embrace,

[His+name+cannot+be+s]

OpenID has no central database.

People are able to represent themselves with their own identity provider, and that isn't an email address.

I'm wondering what kind of spam you're thinking about? :D

Re:Embrace,

[Bogtha]

Going back to OpenID, all I need to do is supply my own authentication server, and I have corroborated my own identification.

Trust and identity are two different things. You're talking about trust. The fact that you can make up multiple identities doesn't matter unless you want somebody to trust one of them for something.

Trust is a big problem; moreso than identity. Furthermore, trust systems have identity as a requirement. And identity is useful outside of any advanced trust system. It makes sense to solve the identity problem first before moving on to complicated web of trust models.

The OpenID people are careful to distinguish between identity and trust. Trust is outside the scope of OpenID, but it's likely that any worthwhile trust system can be built on top of OpenID. You shouldn't use lack of trust as a basis to reject OpenID; in fact large-scale adoption of OpenID may well be helpful in developing a decent trust system.

PS: The one organisation that I expected to support OpenID much sooner than this is Google. Anybody have any ideas why they haven't jumped on board yet?

Re:Embrace,

[smallpaul]

You've defined OpenId's "task" differently than they do. I'd suggest you read this comment.

Re:Embrace,

[Divebus]

Yeah.... "Error: -29 Incompatible Key. You must install MS-OpenID to continue"

Re:Embrace,

[dgatwood]

I'm wondering what kind of spam you're thinking about? :D

Last I checked, there were only three kinds of pure spam left:

1. Porn spam,
2. |-|34b^1 Viagra spam, and
3. Pump-and-dump stock spam

Am I missing any? These days, everything else seems to be phishing (e.g. Nigerian 419 letters).

Re:Embrace,

[CoughDropAddict]

Unfortunately, OpenID will utterly fail in it's task: it will never be a trustworthy source of identification.

You seem to be confused about the scope of OpenID. OpenID is not a system for tying user accounts to personal identities. It simply provides secure, distributed user accounts. It's not failing at it's task, it's failing at a task that you seem to want, but OpenID was never designed to solve.

Re:Embrace,

[Kandenshi]

4. Make your PEN15 twice as long!!!eleven

^It's rarer, but I think I got one of those a few days ago.

Re:Embrace,

[dgr73]

ya'll are just too paranoid. Can't you see uncle Bill has your best interest in mind. If you're a guy, he's your rolemodel, if you're female, he'll give you his mojo. With this in mind, who can resist putting their ID data into uncle Bill's database of Sexual Healing.

Re:Embrace,

[wellingj]

Dear god in heaven somebody mod dgr73 a 'funny interesting troll' and get it over with

Re:Embrace,

[Fred_A]

There aren't any fake watches any more ? I haven't looked at my Spam folder in a while...

Re:Embrace,

[dozer]

Because they want everybody on the planet to have their own google.com account? Let's see if they start pitching this soon: http://code.google.com/apis/accounts/AuthForWebApp s.html

Re:Embrace,

[jhfry]

Thank GOD openID is not really about identifying an individual! It's about creating a single identity... not necessarily my own.

When I go on the internet, I can be a different person. I may be a sad little 14 year old in real life, but on slashdot I'm a 35 year old IT professional. The last thing I want is to have my online ID tied to my real life identity.

If that were the case, then there is the potential that the signatures you had could be used to identify you outside of your cozy internet environment. Think ads that say... we can beat the rates your paying to SUCHANDSUCH mortgage company, or JIM BOBS hardware now open in YOUR HOME TOWN... a lot of information could be extracted based upon who you have had sign your identity.

I agree that a web of trust is a good thing... in fact it would make an excellent addition to the OpenID framework in the future. I could set up an OpenID server with multiple online ID's, I could tie my signed public key to some of those id's.

Even better would be the ability to have our openID server configured so that it would supply credentials only to sites that WE trust. For example, I supply a key for my bank to use for my account... then when I log in using my OpenID, they encrypt a random string using the key I supplied them. My openID server could be configured to A. check that the request is coming from a trusted domain, B. verify that the request was encryped with the correct key, and C. verify that I provided the correct passphrase to decrypt the string. Essentially it would prevent phishing (the false host doesn't have the key so they can't authenticate even if they spoofed the domain), and it would allow the bank to verify that my openID url wasn't hijacked by someone pretending to be me (unless they stole the private key off my server).

That would be secure... and if my bank required that I hand deliver the key on USB or CD media so they could verify that the key did indeed come from the account holder, it would be even more secure! They could even use such a system as an alternative to asking for personal information when calling them... I supply my OpenID name and a verification code, they encrypt the code with the trusted public key I provided and verify it with my OpenID server, which would decrypt it and reply back with the decrypted content.

There really is a lot of possibility there!

Re:Embrace,

[Clete2]

I keep getting this kind of spam:

Ìs Yahoo! QGë ¦H ±M½æ©± ¥À] jU½æ ( ¾_¾Ù¥¥x )

DVDåÂé®MÀ¥¥xÌCùÄf@ÓI®aÖü,÷£ù!

Ü¥dz¥ìÖká¥~ÅS¥¦Û©ç!!!!!!!âÀtÀYJ¥àYà¥À!!!!!!!

i Ý £ ì Ï ½Ð ö o j

Anyone have any idea what it says? I sure don't... Just Yahoo and DVD. It's really annoying when I can't even understand my spam!

Surely

[len_p]

Surely, as usual, an open protocol with a twist in M$ style. Len

Could someone translate this for me?

English is my first language.

It's not just MS support

[blowdart]

It's a two way thing; OpenID will support CardSpace as an identity selector. This is a "good thing", as it will stop the man in the middle attacks OpenID is very prone to. Of course the OpenID identity providers need to add support, like MEX endpoints and WS-Trust, which are all open specs.

CardSpace itself doesn't care what's on the identity provider side, they just need to talk the right talk.

Man in the Middle

[Skewray]

So what prevents a man-in-the-middle attack between the target web page and the ID server?

Re:Man in the Middle

> So what prevents a man-in-the-middle attack between the target web page and the ID server?

Using https. Of course there's a little bootstrap problem for new identities.

Re:Man in the Middle

Malcolm comes to mind.

Ian Malcolm.

Neener neen ner neen, Neener neen ner neeeeeen

Re:Man in the Middle

[Wanon]

The ID content is signed with the identity providers private key. Of which the the web app holds a copy of the public key.

Good luck having the man in the middle regenerate the signature before the request expires.

Back channel communication can also use TLS\SSL to prevent the viewing.

as OOXML?

[Elektroschock]

In a similar way as OOXML and SenderID? As a patented technology pushed through fast track procedures by a single provider, Microsoft.

It is urgent time that we gather some ressources to free citizens from that company. We see the progress Open Source has made without significant public subsidies. Why not invest a billion of public money into information freedom, free us from that company which funds all these damn lobbyists in parliament. We don't need Microsoft to tell us what an open standard is. We know what it is. It is 100% patent-free and no-rand community driven development. Free market, free competition, interoperable, open documented.

Before we get a free cyberspace, all these unethical companies need to be told a lesson. Now that Saddam is gone we have to go after rogue companies. It is important to safe our liberty and freedom of business. Unethical businesses need to be punished. Rotten companies are not good for business.

It was Gates who reportedly (their PR person told it Borsen) bribed the Danish Government: Get us software patents or we cut jobs in Denmark. Now he and his foundation are on the biopat lobbying front in Africa.

Re:as OOXML?

[Alicat1194]

It was Gates who reportedly (their PR person told it Borsen) bribed the Danish Government: Get us software patents or we cut jobs in Denmark.

That's not bribery, that's extortion. (Which I believe carries heavier penalties...)

Re:as OOXML?

[...]free us from that company which funds all these damn lobbyists in parliament.

We've called it "Congress" ever since we threw you guys the hell out of here...

Re:as OOXML?

[Wesley+Felter]

The difference is that MS did not create and does not control OpenID. But don't let the facts of the situation get in the way of your rant.

Re:as OOXML?

[the_womble]

Are you seriously comparing Bill Gates to Saddam Hussein?

Bill Gates is FAR more powerful. A US president is highly unlikely to risk taking him head one.

The reasons I say he is more powerful are:

1) He has a lot of money that could be given in campaign contributions or spent to influence elections. If necessary he could even buy up some media companies (outright or just sufficiently large stakes in them to influence editorial policy) and exercise the sort of influence that Rupert Murdoch has in Britain.
2) He is well known and influential. A lot of people respect him - maybe not on Slashdot, but being the richest man in the world brings respect. MS sales people claim that offering customers a chance to meet Bill Gates help swing major sales.

Re:as OOXML?

More like we walked due to the possible gain (a land containing hostile natives, hostile immigrants, hostile fauna and hostile flora) not being worth the risk (lots of dead British subjects killed by what your current government would call 'enemy combatants'). The monarch's choice then is similar to the one Bush has now: to say 'screw it' and let the country sink or swim through its own actions, or to continue the massive loss of life until the decision is made for him (by impeachment, assassination, or the suggestion that something nasty might happen to his loved-ones if he doesn't go quietly to pasture and let someone else make all the hard decisions). More pragmatism would be advisable for the modern dilemma, I think.
And they might even briefly help you out in a war 150 years down the track.

Re:as OOXML?

[Elektroschock]

I am thinking in terms of national security. What needs to be done to protect our political system, to protect competition. Many nations have media antitrust laws. In Italy things are somehow different...

I mean, I know bad habits of that company from first hand. The USA spents billions on Iraq. Iraqi Freedom or Oil, I don't care. In business terms it shows how much nations invest in national security. Now, give a public Linux Foundation 1 Billion and let them develop a Desktop Linux which blows Microsoft Windows away. Not for "new projects", more for doing the boring stuff, polishing, feature completeness, testing, conferences.

Throw 150 Million on OpenOffice Development and save much money on the procurement side, even when you take MS Office in the end.

Re:as OOXML?

[Elektroschock]

;-) OpenID? I meant http://en.wikipedia.org/wiki/Sender_ID

Bad idea

[Watson+Ladd]

Come on, are we seriously going to trust people because they can give us a url we can access? With IPv6, a lot more zombie machines are going to have publically accessable IPs which could host an Open ID server. How is Open ID going to prevent comment spam?

Re:Bad idea

[Fastolfe]

OpenID is not intended to establish trust or prevent comment spam. It's just there to guarantee to a participating site that the "identity" URL it's been given is indeed owned by the user (agent) presenting it. It doesn't even guarantee to a visitor that the comment they're reading was actually posted by the person it says it was posted by, because that would require that the visitor trust the participating site.

All of these FAQs and more are addressed on the OpenID site linked in the article summary.

Re:Bad idea

[Tony+Hoyle]

In other words it's absolutely useless. In fact it's actually worse than useless because it gives a false sense of security by giving the appearence of trust.

Re:Bad idea

[maxume]

That's only a concern if sites use it in places that should require trust. Blog comments and other websites where it is nice to have settings don't really need any trust, they just need a decent unique identifier.

I don't want my bank to use it(well, they could, but there had better be another layer after I have identified myself), but I wouldn't mind if slashdot did.

Re:Bad idea

[shmlco]

My server tries to send you an email from XYZ.ORG. Do a reverse DNS and you find that the email domain and server domain match. Do a DNS and you'll find a DNS entry that says said server's IP address is the ONLY address that should be sending mail from XYZ.ORG.

As such, if you try to spoof a user into believing mail coming from your botnet is coming from XYZ.ORG you're going to fail if they do the same checks, since your server isn't an "approved" one, and the only way to approve it is to have access to my DNS records.

So in essence it only does one thing, try to prevent spoofed mail, but that's not an entirely useless thing from my perspective.

Re:Bad idea

[jrumney]

OpenID seems good in theory, allowing users to mange their own identity and choose where they host it, but with the big boys joining (Yahoo has already announced partial support), I can see that the trust issue will cause OpenID to become less open. Most sites will start accepting OpenIDs only if they are hosted by the big players. Not that a throwaway hotmail account is any more trustworthy than billspage.hax0rs.org, but it will be perceived to be by the suited classes, who don't understand the issues properly.

Re:Bad idea

[Fastolfe]

It's intended to act as a replacement for users creating individual IDs with individual passwords on each and every web site/blog they visit. Just because some random Joe signed up to post comments on your site doesn't mean you've placed any "trust" in Joe or that Joe's name really is Joe. It's just an ID he uses to post comments. This is no different. It's a convenience for the user, not really the web site operator. No one should imply trust in any of this, and the OpenID site and specifications make this very clear in unambiguous terms. If you don't understand what OpenID is, you should not be implementing it. If you're not implementing it, you shouldn't care about any of these issues.

'Support'....

[nurb432]

....and 'extend'....

however, it won't be supported by useless.com

[klenwell]

from their website:

Today's web is crazy. Open ID is a pipe dream. Every direction you turn you're forced to create yet another account. Most of the time it's for one of those throw-away web startups created 10 times a day, but occasionaly it's worth the effort. It might be to purchase some fancy threads, order a pizza or see how fat the Cool Kids from high school have become. When it's that important, you can't afford to drop the ball. With a useless account you can practice without fear. So when it comes to the crunch, you're ready!

Re:If you're not OUTRAGED

[Dunbal]

You're what's wrong with this country.


      Nothing wrong with this country. But on the other hand, I don't live in the US ;)

Who needs OpenID...

[rduke15]

When we can do everything with a single Google account...

Re:Who needs OpenID...

Actually you can use your Google account as an OpenID:

http://openid.nabber.org/

Re:Who needs OpenID...

[m50d]

Because a few years ago you would have been saying that about Yahoo.

Interesting Reading Reguarding Vulnerabilities

[codepunk]

http://test.phpbb.cc/viewtopic.php?p=66#p66

Don't sound like anything I am interested in...

Re:Interesting Reading Reguarding Vulnerabilities

[setagllib]

Let's agree to never listen to people who voluntarily use (let alone develop) PHP software talk about "vulnerabilities". They're right alongside "health experts" who abuse hard drugs.

Re:Interesting Reading Reguarding Vulnerabilities

[HatofPig]

Did you actually read what you linked to? The gentleman who found the "security vulnerability" signed up a new account on the OpenID server requesting his own, already regestered username and password, with a different confirmation email address. The way the server was set up, this was treated as a change of email request, he got the confirmation email (at a new address) and was logged on with his "new" account (his old account with a new default email address).

Except that in order to do all that, he had to know the username and password in the first place, so there is no security vulnerability. It's just a confusing practise to let people change their email address by re-registering their account with a new confirmation email destination. It's a non-issue.

Re:Interesting Reading Reguarding Vulnerabilities

[rossifer]

Um, that thread shows that if you have both the username and password for someone's OpenID, that the OpenID registration page will reassign the email address instead of throwing a "username already exists" error. As in, a significant usability bug and not even slightly a security vulnerability. The "attack" requires that the "attacker" already have enough information to log into the server and just change the registered email address through the regular account information page.

The first phpbb developer mistakenly thought that you didn't need the password to do this, but was contradicted in the second posting of the thread by the other phpbb developer who originally found the error. The rest of the thread is the first developer not understanding what was said.

OpenID has been around long enough that the major kinks have been ironed out. Not to say that bugs can't appear in the future that might compromise an OpenID server, but at the moment, this isn't one of those.

Ross

Blaming the user again is pathetic.

[twitter]

Gates said

"The challenge we face in administering and using them [Windows Vista and Office 2007] is humans - and humans make mistakes. A large part of what we do going forward is not dealing with the engineering aspects of the software we build, but we have to deal with the fact errors do happen whether by accident or intentional"

He needs to deal with the engineering first. What good is an ID if your computer is one of the 25% of all Windoze computers with a keylogging bot on it? It's not the user's fault.

Re:Blaming the user again is pathetic.

"The challenge we face in administering and using modern computers is Bill Gates - and he makes mistakes. A large part of what we do going forward is not dealing with the engineering aspects of the software we build, but we have to deal with the fact Microsoft produces so many errors whether by accident or intentional"

Re:Blaming the user again is pathetic.

[Fred_A]

Actually he didn't really blame the users, it just sounds that way because they didn't put the full quote online :

"The challenge we face in administering and using them [Windows Vista and Office 2007] is humans - and humans make mistakes. Just look at how our prducts are made - by humans. A large part of what we do going forward is not dealing with the engineering aspects of the software we build, it's too much of a mess anyway, but we have to deal with the fact errors do happen whether by accident or intentional"

That blows my analogy

[EmbeddedJanitor]

I was going to say that MS will support this the same way one of those Kama Sutra players support their partner during rather vigorous sex in a less stable psotion. Adding a man in the middle spoils that image somewhat.

CardSpace is worth looking at

[His+name+cannot+be+s]

At the very least, CardSpace is doing a fine job at providing a mechanism for exchanging identity information without boiling it all down to the root of all evil: Shared Secrets (passwords)

It's worth looking into the specifics of CardSpace, which I'm kinda suprised there were no links that talked about that end of the equation.
CardSpace community site (Part of .NET framework 3)
CardSpace community PM

Re:CardSpace is worth looking at

You should put the .NET part in bold as more of a warning, so people don't have to waste their time. Recent history has taught us that Microsofts only interest in open standards is in destroying them.

Wikipedia entry and Identity providers

[Lord+Satri]

The wikipedia entry is quite informative. With OpenID, unlike XNS.org (for those who remember), you need an 'identity provider': A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services), and here's the official list of identity providers. And while we're at it, the list of services that support OpenID.

Re:Wikipedia entry and Identity providers

[Fred_A]

According to the OpenId website, you can also be your own provider of your OpenId URL. Just install the framework on your website and you're done.

Liberty Alliance

[owlstead]

Of course, MS would not want to support the Sun answer to Passport: the Liberty Alliance. Check the current member list here:

http://www.projectliberty.org/liberty/about/curren t_members

Now compare it with that of OpenID, if you can find it on their wiki-like site. IMHO, this is just FUD to keep wind out of the sails of the Liberty Alliance. The same stupid tactic they have performed with the open source document format. Kill it by strengthening the currently loosing spec, and both will perish.

Re:Liberty Alliance

[metamatic]

So, how many web sites can I log into via Liberty Alliance? Where can I get an ID?

I use OpenID every day. It's here and it works.

Re:If you're not OUTRAGED

[nomadic]

You live in a country without anything wrong with it? Please inform me as to its identity so I can move there!

OpenID is Not Secure, Not Useful

[smack.addict]

Of course Microsoft would buy into OpenID, its the Swiss cheese of identity management. It neither solves an actual identity management that the world has nor is it in any way a secure protocol for authenticating users against a single identity.

Is your /. id useless?

[Per+Abrahamsen]

I don't think so, you use it a lot. Even though it provides no trust.

Identity is quite a useful concept in itself. And as a bonus, you can build trust upon it.

Microsoft considered harmful

They didn't create or control ODF and SPF either but that didn't stop them throwing spanners in the works.

Re:If you're not OUTRAGED

Oh, but if you move there, then it would no longer be perfect!

OpenID vs OpenPrivacy?

[alexandre]

Has anyone got any precise insight on the difference between OpenPrivacy and OpenID goals? :)