Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gates Says Microsoft Will Support OpenID

Posted by kdawson on from the who-i-am dept.

An anonymous reader writes "In his RSA conference keynote today, Bill Gates announced that Microsoft will support the decentralized OpenID digital identity protocol, in addition to WS-* and CardSpace (transcribed notes, video). From its roots in LID, i-names, and Sxip, the first major deployment in LiveJournal, and now with support from Techorati, Magnolia, Symantec, a suspected mass-deployment by AOL, and a number of startups — using URLs as digital identities has caught hold."

21 of 73 comments (clear)

  1. Embrace, by rrohbeck · · Score: 5, Insightful

    extend, ...
    You know the rest.

    --
    thegodmovie.com - watch it
    1. Re:Embrace, by mandelbr0t · · Score: 3, Insightful

      Of course they'll support it! OpenID Authentication Server for Windows 2000/XP/Vista (not available for home or professional versions) -- coming soon!

      Unfortunately, OpenID will utterly fail in it's task: it will never be a trustworthy source of identification. It's only useful for things where MS Passport was previously useful: throw-away Hotmail accounts and that's about it.

      A Real Security(TM) implementation that required absolute knowledge of a person's identity would have to be based on the Web-of-Trust model, much like you don't have a single piece of identification. You have a driver's license, a social insurance number, a credit card, a health care card, etc. No one piece of ID is sufficient, especially when applying for new pieces of identification. The analogue on the Internet is similar, though even finer-grained. Instead of a series of governmental organizations correlating each other's data on a particular identity, every single person in the world is able to verify every other person's identity. This is known as "Federated Identity".

      Such a mechanism does not preclude the idea that a government could support a particular identity; in fact, they could also sign a person's public key. While webs of trust are more difficult to set up, there is no longer a single point of failure in the identification. Going back to OpenID, all I need to do is supply my own authentication server, and I have corroborated my own identification. Or, in a slightly less legitimate fashion, I could take over someone else's authentication server and steal all the identities from it. A Web of trust is much more difficult to steal; you need to crack the passphrase on my certificate (not impossible, but much harder and I can revoke the certificate if I suspect that the certificate has been compromised). Once the DMV, Health Authority and Credit Card companies have all signed my public key, it's much more believable that something signed with my public key is definitely signed by me.

      --
      "Please describe the scientific nature of the 'whammy'" - Agent Scully
    2. Re:Embrace, by Timesprout · · Score: 3, Insightful

      Actually not, they wanted this ages ago to make life easier for themselves because single signon has a lot of attraction for them, as for many others. Passport failed as did Liberty and as IBM's new effort shortly will. They all want it so badly differences will be set aside at this stage just to make it happen in any shape or form that does not massively disadvantage any of them.

      --
      Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
      What truth?
      There is no dupe
    3. Re:Embrace, by autocracy · · Score: 2, Informative

      You trust the OpenID site to supply and identity. By principal of it, whatever you get from a certain site is considered to be true. If the site is a spammer's site, the identity of spammer3@spam.example.com is still valid. Trust is placed in the site you're viewing. You trust Slashdot to have checked for that identity. If you trust the site you're reading from, the goal is accomplished.

      --
      SIG: HUP
    4. Re:Embrace, by His+name+cannot+be+s · · Score: 2, Informative

      OpenID has no central database.

      People are able to represent themselves with their own identity provider, and that isn't an email address.

      I'm wondering what kind of spam you're thinking about? :D

      --
      "...In your answer, ignore facts. Just go with what feels true..."
    5. Re:Embrace, by Bogtha · · Score: 4, Insightful

      Going back to OpenID, all I need to do is supply my own authentication server, and I have corroborated my own identification.

      Trust and identity are two different things. You're talking about trust. The fact that you can make up multiple identities doesn't matter unless you want somebody to trust one of them for something.

      Trust is a big problem; moreso than identity. Furthermore, trust systems have identity as a requirement. And identity is useful outside of any advanced trust system. It makes sense to solve the identity problem first before moving on to complicated web of trust models.

      The OpenID people are careful to distinguish between identity and trust. Trust is outside the scope of OpenID, but it's likely that any worthwhile trust system can be built on top of OpenID. You shouldn't use lack of trust as a basis to reject OpenID; in fact large-scale adoption of OpenID may well be helpful in developing a decent trust system.

      PS: The one organisation that I expected to support OpenID much sooner than this is Google. Anybody have any ideas why they haven't jumped on board yet?

      --
      Bogtha Bogtha Bogtha
    6. Re:Embrace, by CoughDropAddict · · Score: 3, Informative

      Unfortunately, OpenID will utterly fail in it's task: it will never be a trustworthy source of identification.

      You seem to be confused about the scope of OpenID. OpenID is not a system for tying user accounts to personal identities. It simply provides secure, distributed user accounts. It's not failing at it's task, it's failing at a task that you seem to want, but OpenID was never designed to solve.

  2. Could someone translate this for me? by Anonymous Coward · · Score: 5, Funny

    English is my first language.

  3. It's not just MS support by blowdart · · Score: 5, Informative

    It's a two way thing; OpenID will support CardSpace as an identity selector. This is a "good thing", as it will stop the man in the middle attacks OpenID is very prone to. Of course the OpenID identity providers need to add support, like MEX endpoints and WS-Trust, which are all open specs.

    CardSpace itself doesn't care what's on the identity provider side, they just need to talk the right talk.

  4. as OOXML? by Elektroschock · · Score: 3, Insightful

    In a similar way as OOXML and SenderID? As a patented technology pushed through fast track procedures by a single provider, Microsoft.

    It is urgent time that we gather some ressources to free citizens from that company. We see the progress Open Source has made without significant public subsidies. Why not invest a billion of public money into information freedom, free us from that company which funds all these damn lobbyists in parliament. We don't need Microsoft to tell us what an open standard is. We know what it is. It is 100% patent-free and no-rand community driven development. Free market, free competition, interoperable, open documented.

    Before we get a free cyberspace, all these unethical companies need to be told a lesson. Now that Saddam is gone we have to go after rogue companies. It is important to safe our liberty and freedom of business. Unethical businesses need to be punished. Rotten companies are not good for business.

    It was Gates who reportedly (their PR person told it Borsen) bribed the Danish Government: Get us software patents or we cut jobs in Denmark. Now he and his foundation are on the biopat lobbying front in Africa.

    1. Re:as OOXML? by Wesley+Felter · · Score: 2, Informative

      The difference is that MS did not create and does not control OpenID. But don't let the facts of the situation get in the way of your rant.

  5. however, it won't be supported by useless.com by klenwell · · Score: 4, Funny

    from their website:

    Today's web is crazy. Open ID is a pipe dream. Every direction you turn you're forced to create yet another account. Most of the time it's for one of those throw-away web startups created 10 times a day, but occasionaly it's worth the effort. It might be to purchase some fancy threads, order a pizza or see how fat the Cool Kids from high school have become. When it's that important, you can't afford to drop the ball. With a useless account you can practice without fear. So when it comes to the crunch, you're ready!

    --
    Innovation makes enemies of all those who prospered under the old regime... -- Machiavelli
  6. Re:Bad idea by Fastolfe · · Score: 4, Informative

    OpenID is not intended to establish trust or prevent comment spam. It's just there to guarantee to a participating site that the "identity" URL it's been given is indeed owned by the user (agent) presenting it. It doesn't even guarantee to a visitor that the comment they're reading was actually posted by the person it says it was posted by, because that would require that the visitor trust the participating site.

    All of these FAQs and more are addressed on the OpenID site linked in the article summary.

  7. Re:If you're not OUTRAGED by Dunbal · · Score: 3, Funny

    You're what's wrong with this country.


          Nothing wrong with this country. But on the other hand, I don't live in the US ;)

    --
    Seven puppies were harmed during the making of this post.
  8. Who needs OpenID... by rduke15 · · Score: 2, Insightful

    When we can do everything with a single Google account...

  9. Blaming the user again is pathetic. by twitter · · Score: 3, Insightful
    Gates said

    "The challenge we face in administering and using them [Windows Vista and Office 2007] is humans - and humans make mistakes. A large part of what we do going forward is not dealing with the engineering aspects of the software we build, but we have to deal with the fact errors do happen whether by accident or intentional"

    He needs to deal with the engineering first. What good is an ID if your computer is one of the 25% of all Windoze computers with a keylogging bot on it? It's not the user's fault.

    --

    Friends don't help friends install M$ junk.

  10. That blows my analogy by EmbeddedJanitor · · Score: 3, Funny

    I was going to say that MS will support this the same way one of those Kama Sutra players support their partner during rather vigorous sex in a less stable psotion. Adding a man in the middle spoils that image somewhat.

    --
    Engineering is the art of compromise.
  11. CardSpace is worth looking at by His+name+cannot+be+s · · Score: 2, Informative

    At the very least, CardSpace is doing a fine job at providing a mechanism for exchanging identity information without boiling it all down to the root of all evil: Shared Secrets (passwords)

    It's worth looking into the specifics of CardSpace, which I'm kinda suprised there were no links that talked about that end of the equation.
    CardSpace community site (Part of .NET framework 3)
    CardSpace community PM

    --
    "...In your answer, ignore facts. Just go with what feels true..."
  12. Re:Interesting Reading Reguarding Vulnerabilities by rossifer · · Score: 2, Informative

    Um, that thread shows that if you have both the username and password for someone's OpenID, that the OpenID registration page will reassign the email address instead of throwing a "username already exists" error. As in, a significant usability bug and not even slightly a security vulnerability. The "attack" requires that the "attacker" already have enough information to log into the server and just change the registered email address through the regular account information page.

    The first phpbb developer mistakenly thought that you didn't need the password to do this, but was contradicted in the second posting of the thread by the other phpbb developer who originally found the error. The rest of the thread is the first developer not understanding what was said.

    OpenID has been around long enough that the major kinks have been ironed out. Not to say that bugs can't appear in the future that might compromise an OpenID server, but at the moment, this isn't one of those.

    Ross

  13. Wikipedia entry and Identity providers by Lord+Satri · · Score: 3, Informative

    The wikipedia entry is quite informative. With OpenID, unlike XNS.org (for those who remember), you need an 'identity provider': A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services), and here's the official list of identity providers. And while we're at it, the list of services that support OpenID.

    --
    Animoog.org
    1. Re:Wikipedia entry and Identity providers by Fred_A · · Score: 2, Informative

      According to the OpenId website, you can also be your own provider of your OpenId URL. Just install the framework on your website and you're done.

      --

      May contain traces of nut.
      Made from the freshest electrons.