Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gates Says Microsoft Will Support OpenID

Posted by kdawson on from the who-i-am dept.

An anonymous reader writes "In his RSA conference keynote today, Bill Gates announced that Microsoft will support the decentralized OpenID digital identity protocol, in addition to WS-* and CardSpace (transcribed notes, video). From its roots in LID, i-names, and Sxip, the first major deployment in LiveJournal, and now with support from Techorati, Magnolia, Symantec, a suspected mass-deployment by AOL, and a number of startups — using URLs as digital identities has caught hold."

10 of 73 comments (clear)

  1. It's not just MS support by blowdart · · Score: 5, Informative

    It's a two way thing; OpenID will support CardSpace as an identity selector. This is a "good thing", as it will stop the man in the middle attacks OpenID is very prone to. Of course the OpenID identity providers need to add support, like MEX endpoints and WS-Trust, which are all open specs.

    CardSpace itself doesn't care what's on the identity provider side, they just need to talk the right talk.

  2. Re:Bad idea by Fastolfe · · Score: 4, Informative

    OpenID is not intended to establish trust or prevent comment spam. It's just there to guarantee to a participating site that the "identity" URL it's been given is indeed owned by the user (agent) presenting it. It doesn't even guarantee to a visitor that the comment they're reading was actually posted by the person it says it was posted by, because that would require that the visitor trust the participating site.

    All of these FAQs and more are addressed on the OpenID site linked in the article summary.

  3. Re:Embrace, by autocracy · · Score: 2, Informative

    You trust the OpenID site to supply and identity. By principal of it, whatever you get from a certain site is considered to be true. If the site is a spammer's site, the identity of spammer3@spam.example.com is still valid. Trust is placed in the site you're viewing. You trust Slashdot to have checked for that identity. If you trust the site you're reading from, the goal is accomplished.

    --
    SIG: HUP
  4. Re:Embrace, by His+name+cannot+be+s · · Score: 2, Informative

    OpenID has no central database.

    People are able to represent themselves with their own identity provider, and that isn't an email address.

    I'm wondering what kind of spam you're thinking about? :D

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  5. CardSpace is worth looking at by His+name+cannot+be+s · · Score: 2, Informative

    At the very least, CardSpace is doing a fine job at providing a mechanism for exchanging identity information without boiling it all down to the root of all evil: Shared Secrets (passwords)

    It's worth looking into the specifics of CardSpace, which I'm kinda suprised there were no links that talked about that end of the equation.
    CardSpace community site (Part of .NET framework 3)
    CardSpace community PM

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  6. Re:Interesting Reading Reguarding Vulnerabilities by rossifer · · Score: 2, Informative

    Um, that thread shows that if you have both the username and password for someone's OpenID, that the OpenID registration page will reassign the email address instead of throwing a "username already exists" error. As in, a significant usability bug and not even slightly a security vulnerability. The "attack" requires that the "attacker" already have enough information to log into the server and just change the registered email address through the regular account information page.

    The first phpbb developer mistakenly thought that you didn't need the password to do this, but was contradicted in the second posting of the thread by the other phpbb developer who originally found the error. The rest of the thread is the first developer not understanding what was said.

    OpenID has been around long enough that the major kinks have been ironed out. Not to say that bugs can't appear in the future that might compromise an OpenID server, but at the moment, this isn't one of those.

    Ross

  7. Wikipedia entry and Identity providers by Lord+Satri · · Score: 3, Informative

    The wikipedia entry is quite informative. With OpenID, unlike XNS.org (for those who remember), you need an 'identity provider': A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services), and here's the official list of identity providers. And while we're at it, the list of services that support OpenID.

    --
    Animoog.org
    1. Re:Wikipedia entry and Identity providers by Fred_A · · Score: 2, Informative

      According to the OpenId website, you can also be your own provider of your OpenId URL. Just install the framework on your website and you're done.

      --

      May contain traces of nut.
      Made from the freshest electrons.
  8. Re:as OOXML? by Wesley+Felter · · Score: 2, Informative

    The difference is that MS did not create and does not control OpenID. But don't let the facts of the situation get in the way of your rant.

  9. Re:Embrace, by CoughDropAddict · · Score: 3, Informative

    Unfortunately, OpenID will utterly fail in it's task: it will never be a trustworthy source of identification.

    You seem to be confused about the scope of OpenID. OpenID is not a system for tying user accounts to personal identities. It simply provides secure, distributed user accounts. It's not failing at it's task, it's failing at a task that you seem to want, but OpenID was never designed to solve.