AOL Now Supports OpenID

Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."

Re:So??

[MisterCookie]

People who don't want to manage 5000+ usernames.

Why would we want OpenID?

Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide? I certainly don't want to log onto my bank's website automatically. And in general, I don't want to reveal anything about my identity unless there is a very good reason to do so. The whole purpose of OpenID and similar technologies is to make it easier to track people. This is not the way I want the internet to develop.

Re:Why would we want OpenID?

I don't consider myself to be a "privacy nut", but I find this ideal highly flawed. It is based on the idea that personal information should either be completely secret or completely public.

To continue your analogy, I wouldn't necessarily want to publish my girlfriend's name on the soap-making forums I frequent, even if I considered it silly to avoid mentioning it on, say, a friend's personal blog. As the internet is organized today, this is less of a problem because identities are not interlinked by default: unless I sign up under my full name on the soap-making forum, no one will ever know that "SoapFan2143" is the same person as "Joe Random". If things like OpenID become standard, our hypothetical shy soap-maker would either have to be "that guy who probably has something to hide because he didn't want to sign up with a real identity", or go to ridiculous lengths like making up fake names and identities just to maintain some privacy on a hobby forum.

It's perfectly understandable that people don't want sites to automatically combine various pieces of information about them. Many people who e.g. post in newsgroups already find it highly creepy what random stalkers can find out about them from simple googlings, they don't need an automatic system to stalk them as well.

Re:Why would we want OpenID?

[jalefkowit]

Your knee is jerking. You're reacting to the centralized authentication systems like MS Passport that we've seen in the past, which would indeed make it easier to track people. OpenID is fundamentally different in that there is no one centralized identity provider. You can use AOL as your OpenID provider, or another provider, or even set up your own OpenID server on your own hardware and use that if you can't find one you can trust -- hard to think of a scenario that would be more tracking-proof than that. Read more about OpenID, it's not what you think it is.

Re:Why would we want OpenID?

[Wesley+Felter]

What's to stop them doing this with your email address right now?

Nothing, that's why OpenID is really no better or worse than the status quo when it comes to privacy.

Re:So??

[memojuez]

It's a last ditch effort by AOL to stay relevant to the rest of the InterWebs.

The problem with single sign-on...

[Phleg]

One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.

Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?

Re:The problem with single sign-on...

spoof? Hell they won't need to spoof anything. AOL user will surf to a pr0n site, pr0n site will say "enter your openid to get 100% full free access!!111" or some such crap. AOL user will WILLINGLY give away their id to see pr0n.

It's phishing time!

[smack.addict]

OpenID is the phisher's dream. I honestly don't get what would motivate someone to implement this specification.

Re:Cool...

[fyrewulff]

When I worked at the library, a majority of the tweens and teens came in just to check/update their MySpace. they didn't even have a computer at home.

Re:This is a huge blow to privacy on the net...

[TheRaven64]

Think what it could be like when sites only accept OpenID authentication coming from certain sources like the provider your IP is originating from? Then people won't go to those sites, because they won't be able to access them from public terminals, their friends house, or use the same account from home as they use with their mobile phone.

The idea sucks and I didn't even get started on how it allows the operator of an OpenID authentication service to track which sites you go to. The operator of the OpenID authentication service is you, or whoever you delegate the responsibility to. If you choose to ask a random person to look after your keys, don't be surprised if your house gets burgled.

Re:OpenID vs OpenPrivacy?

[Broadcatch]

"OpenID is a simple single sign-on mechanism advanced by Brad Fitzpatrick of LiveJournal. In OpenID, your identity is a URL." - http://en.wikipedia.org/wiki/OpenID

Basically, OpenID provides for distributed authentication.

IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.

OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.

I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.

Re:Lovely knees you have ... if anything.

[Randle_Revar]

If you don't want to be tracked, don't use OpenID.

If I go to a blog and enter a comment with the name Kelly Clowers and give my website as www.clowersnet.net/~krc/, how do you know that I am really the Kelly Clowers who owns that website? This example is one of the original use cases for OpenID.

Now anyone can google Kelly Clowers and if an OpenID post turns up in the results, you can be fairly sure it was really the owner of www.clowersnet.net/~krc/ (which is presumably me, since that website specifically mentions this account (which is a solution that can work for main accounts, but I don't really want to list every one-off comment I ever made on random blogs)). Of course, a page could be hijacked, but the point is that imitating someone is not as trivial as entering someone else's name and website.

Not being tracked when you don't want to be tracked could be an issue if websites started accepting *only* OpenID, but I haven't seen anyone do that yet, and I doubt many will ever do that. And I don't think OpenID is really intended for online banking and shopping and the like. Also, if you don't want to be tracked, you could set up a second OpenID account that does not link to your primary account or to your real name.

Re:RAS syndrome and U.S. trademark law

[iabervon]

These sorts of abbreviations are often idiomatic and literally incoherent. For example, "PIN" stands for "Personal Identification Number", but it doesn't actually identify you; the account number identifies you, and the PIN authenticates you (if you were to type your PIN into a terminal without putting in a card, it would have no idea who you were). So, if people have to ignore part of the expansion to understand the term, it makes sense that they'd ignore the whole expansion, and then want a simple noun to say what they're talking about. And, of course, the last word of the expansion is a noun that sticks in people's heads as being related.

Also, in the case of TCBY, "TCBY" is actually a company, not yogurt. For that matter, using the abbreviation as if it were the expansion would be very strange; you'd have to say "I bought some of TCBY", because "I bought some the country's best yogurt" is clearly ungrammatical. If you're ignoring the fact that it starts with "the", you have to ignore the fact that it ends with "yogurt", too, and treat the term as unanalyzable.

Re:RAS syndrome and U.S. trademark law

[dlthomas]

"I bought some of TCBY" makes sense, you're just talking about stocks...

Re:This is the whole point

[burner]

You get that the whole point is to have a "single sign on," right? And that the problem with Passport is that there is only one possible provider (Microsoft)? OpenID lets anyone be the identity provider. If you want your email to be your signon, just ask your email provider to support openID. It's can only be good news if large sites with lots of users become openID identity providers rather than each company developing their own identity system.