OpenID Foundation Embraced by Big Players

An anonymous reader writes "The OpenID Foundation has announced that Google, IBM, Microsoft, VeriSign and Yahoo! have all joined its board. It's exciting to see OpenID being embraced by such large players, but its also a concern that such big corporates are now directly influencing the fledgeling foundation. 'Today there are over a quarter of a billion OpenIDs and well over 10,000 websites to accept them. OpenID has grown to be implemented by major open source projects such as Drupal, cornerstone Web 2.0 services such as those by 37signals and Six Apart, as well as a mix of large companies including as Apple, Google, and Yahoo!. Today is about truly recognizing the accomplishments of the entire OpenID community which has certainly grown beyond the small grassroots community where it started in late 2005.'"

A quarter _BILLION_?

[Brian+Gordon]

Not only do I not have an OpenID, I've never even seen an OpenId login! Until it really starts getting around, I seriously doubt the quarter billion number.

Re:A quarter _BILLION_?

[mrxak]

Yeah, this is the first I've heard of it too. I just don't understand how one ID everywhere is a good thing on the internet.

Re:A quarter _BILLION_?

[monk.e.boy]

I thought it was the default login for live journal - that's a lot of site right there.

You've never seen an OpenID login? Crazy. I done see tons.

Re:A quarter _BILLION_?

[urcreepyneighbor]

Like most figures from the tech industry, this one is bullshit. They are probably including Yahoo! and Google IDs (or something like that), even tho 95% of Yahoo!'s and Google's users have never even heard of OpenID.

Remember, kids: if it sounds like bullshit, it probably is. :)

Re:A quarter _BILLION_?

[Tridus]

It is. Every account on Livejournal is also an OpenID account. It makes sense since the founder of LJ is also the founder of OpenID.

Re:A quarter _BILLION_?

[Bogtha]

Are you sure you don't have an OpenID? If you have a LiveJournal, you have an OpenID. If you have a Yahoo! account, you have an OpenID. If you have an AOL account, you have an OpenID.

Re:A quarter _BILLION_?

[GuyWithLag]

Ah, it's not *one* ID everywhere. It's just one id for all low-impact sites (blog comments, simple sites that you need to register etc).

Re:A quarter _BILLION_?

[ceejayoz]

Yahoo! and AIM logins are OpenID logins, whether the users are aware of it or not.

The number is accurate. The assumptions you're making about the meaning of the number are not.

Re:A quarter _BILLION_?

[krbvroc1]

This is probably some lame marketing hype that implies that since they use a 30 bit number they have a billion id's. Probably 1,073,741,824 to be exact.

Ive heard of but never seen openid used on any sites I have visited.

Re:A quarter _BILLION_?

[krbvroc1]

Oops I hit the submit too quick: I should have said 28 bits values, 268,435,456 id's. You get the point though.

Re:A quarter _BILLION_?

[smittyoneeach]

Oh, well, if it's designed to solve a specific problem with well-thought out requirements, then it must be totally limited, b0rken, teh sux0rz, and it will never work.
It has to have universal acceptance, be all things to all people, completely simple and yet so secure that Schneier worships it, or it will get no traction in the market. </sarcasm>

Re:A quarter _BILLION_?

[owlnation]

This is probably some lame marketing hype that implies that since they use a 30 bit number they have a billion id's. Probably 1,073,741,824 to be exact.

Yep. And the other poster is also quite correct. Numbers like this quoted by tech companies are meaningless raised to the power of meaningless. We've all seen eBay, Myspace, Facebook, etc boast about number of users using stats like these.

At best they are counting the number of times someone's registered, and since many people register more than one account, and/or try things out and then never use them again, the number is a fraudulent and manipulative misrepresentation of actual user numbers. Always is.

Always remember: come the revolution the marketing droids get it first. No mercy. Society does not need marketing droids.

Re:A quarter _BILLION_?

[Brian+Gordon]

mm, yeah none of those

Re:A quarter _BILLION_?

[jguthrie]

The last time I looked, which was a couple of years ago, OpenID was simply a way of verifying that a person was associated with a particular URL. In particular, the OpenID folks were resisting (and with good reason) all the pressure to use OpenID for things like, say, verifying that a user was associated with a particular email address, despite how useful that would be. So, how can Yahoo and AIM logins be OpenID logins? That seems to be inconsistent with the previous stance of the OpenID people. In particular, there seems to be no URL associated with either of those types of logins.

Re:A quarter _BILLION_?

[HTH+NE1]

According to the OpenID site it uses a URI, which includes "mailto:" URIs.

For AOL IDs, its "openid.aol.com/screenname".

Re:A quarter _BILLION_?

[severoon]

I have to say I'm shocked there are so many people piling on this anti-identity bandwagon. Don't you people understand that the purpose of OpenID is to allow you, the user, to control your own identity and the information companies are allowed to collect about you? (As opposed to right now, where sites ask you to sign up and provide X info to create an account and you either provide it or don't get on?)

Identity management allows you to control your Internet presence in one single place, and acts as a single gateway for you to allow or disallow sites to know about you and collect information about you. This is a good thing people. It's secure. It promotes security...real security. It also promotes anonymity when you want it. Unlike Facebook where you add 50 apps and leave all the boxes checked and then have to page through one app by one once you understand the impact of those boxes...

Don't knock something till you understand it. Someday the intarwebz will be open id powered.

Re:A quarter _BILLION_?

[Sax+Maniac]

Great, I now have 3 different OpenIDs... and no place to use them!

Re:A quarter _BILLION_?

[jguthrie]

Did I mention I spent a couple of weeks reviewing the OpenID spec in some detail? I also spent quite a while looking at it because of the "pull email" proposal I was looking at at the same time. In any case, the opinion that OpenID doesn't authenticate to identifiers that are email addresses isn't my opinion, it's that of the OpenID developers.

Nevertheless, to be sure that I didn't miss something since I last looked at it, I checked out the Web sites that you link to, and dug into V2 of the OpenID spec, and I don't see where any OpenID spec says that it includes "mailto:" URI's. It's also not clear how that would work because the OpenID authentication process relies upon doing an HTTP POST on the URI, which is not supported on "mailto:" URI's. Well, version 2 of the spec does talk about something called XRI's, which may include mailto identifiers, but the mechanisms used to verify the identity are all based on HTTP, which isn't not what is used for a mailto. All the examples, which of course are not normative, use HTTP, HTTPS, and XRI URI's as well with nary a "mailto:" in sight.

Could you explain in more detail how using OpenID to verify to a mailto: URI would work?

Re:A quarter _BILLION_?

[Bogtha]

In particular, the OpenID folks were resisting (and with good reason) all the pressure to use OpenID for things like, say, verifying that a user was associated with a particular email address, despite how useful that would be. So, how can Yahoo and AIM logins be OpenID logins?

I'm not sure what you don't understand. Why wouldn't they be OpenID logins? Just because I use the same username and password to authenticate for my Yahoo email and my Yahoo OpenID, it doesn't mean that my Yahoo email address is disclosed to everybody.

In particular, there seems to be no URL associated with either of those types of logins.

You're conflating two different things here: identity and access mechanism. Whether you sign into Yahoo mail via their website or via your mail client, it's still the same user account. Likewise, when you use your AOL OpenID, you might not use the same access mechanism as when you use AIM, but it's still the same identity.

Re:A quarter _BILLION_?

[HTH+NE1]

Could you explain in more detail how using OpenID to verify to a mailto: URI would work? Setting up an auto-responding script?

I have not researched the mechanism of OpenID, only pointed out that their site referenced URIs, which the wiki defines as a superset of URLs, and did not on the same page offer a declaration of what subset of URIs they actually support. By that omission, I thought it a fair reading that all URIs are supported.

The only thing I can see necessitating them to use the vague term URI instead of the specific term URL is RFC 3305 (referenced in their OpenID RFC) which basically says, screw the differences between URI, URL, URN, URC, etc. and just call everything a URI.

So, fuck it, I don't really care that much about it to argue about it further other than say yeah, of the whole set of URIs they only support a tiny subset of URLs: http and https and these new XRI(TM)s, and probably really only a tiny subset of them as well. (Hard to tell when things like table 5 persistently presents itself partially off the left of my browser window regardless of window size.)

Re:A quarter _BILLION_?

[jguthrie]

When you authenticate using OpenID, what happens is that the system you're trying to authenticate at goes to the URI that you specify and asks it to authenticate you. In effect, an OpenID login is a proof that you control the content at a particular URI. What I was missing was that my AIM ID was an AOL ID. That's true because of how AOL chooses to handle accounts, but isn't true in general.

Re:A quarter _BILLION_?

[smittyoneeach]

Regret if the sarcasm tags blew by you. I was agreeing with your point by attacking the attackers. OpenID sounds like a genuinely good idea. The problem with good ideas is that they are often "loved to death", a passive-agressive attack wherein simply beauty gets so tarted up with paint an polish that Natalie Portman becomes Tammy Faye Bakker.

Re:A quarter _BILLION_?

[Eivind]

No. The number is as high as it is because a number of very large websites support openID, thus everyone signing up at one of these websites get an openid, if they *use* it for anything is a quite different issue.

For example, everyone who uses AIM has an openid, I'm sure 99% of them never used it for anything, but it -does- mean, they could, for example, post a comment on any LiveJournal-blog as openid.aol.com/screenname and have OpenID authenthicate it (i.e. guarantee that the comment really was posted by the holder of that screenname)

More interesting is the number of sites where you -CAN- use openID to authenthicate. If Yahoo, Google and Microsoft implement it on the major sites they run, this alone would be a huge boost. MANY people log in to atleast one site run by one of these giants regularily.

Re:A quarter _BILLION_?

[severoon]

No, I saw the sarcasm tags. :-) My post was directed at the unbelievable run of posts against the idea. I was particularly surprised by the guy that said, "Oh yea, that's just what the internet needs, a single place to sign on!" Duh.

Secure?

[mrxak]

Is it really all that secure to have one username and password for every website you go to? I would imagine there'd be privacy concerns as well.

Re:Secure?

[Brian+Gordon]

Very secure. Think about it- that means that every scummy admin on the internet doesn't have access to your password. You don't need a "junk websites that probably sell my username/password" tier, since authentication is handled by openid and not the scummy web server itself.

Re:Secure?

[mrxak]

Fine, but what happens once somebody does get your username and password, let's say a keylogger, or one of these fake banking sites designed to steal your password. Now they can get into everything. It's not like this is going to stop scummy admins. OpenID doesn't instantly become mandatory everywhere just because a few new companies endorsed it. All this means is that when your OpenID gets stolen, you're even more screwed.

Re:Secure?

[esocid]

since authentication is handled by openid and not the scummy web server itself.

But what implications would it have for your account at any of those sites if your OpenID account is compromised or you password is cracked? I'm not too familiar with OpenID but it seems like an accident waiting to happen to me, but again I'm sure the security or protocol involved with all of this. I would rather have multiple accounts with different passwords, but I'm aware that some people use the same pass for all logins.

Re:Secure?

[a_n_d_e_r_s]

Nothing prevents you from having several OpenID with different passwords. You can create a OpenID and password for each site you visit.

Re:Secure?

[swimmar132]

How could a fake banking site possibly get your openid password? You only give your openid password to one site, the openid provider.

You can also see who is using your openid, when they are logging in to sites, the IP addresses of people using your openid, etc.

Re:Secure?

[192939495969798999]

The problem with a single user/password storage is you then have a single user/password. If that openID gets hacked, then everyone will have access to everything... not good. At least if one non-openid account gets hacked, only that account is affected.

Re:Secure?

[Bogtha]

Is it really all that secure to have one username and password for every website you go to?

This isn't about having one password. This is about having one account. There's ample opportunity for improved security without the need for passwords. Have your OpenID provider authenticate you via an SSL cert on your USB flash drive if you want, or even via fingerprint recognition, you or your provider can implement whatever level of security you need and there's no need for the relying parties to mess about with their authentication system to accommodate you, it all just works automatically with any OpenID-capable website or web application because it's the OpenID provider doing the authentication, not the websites or web applications themselves.

Websites and web applications are relatively limited in what they can offer in terms of authentication options. OpenID allows people to experiment with alternative authentication schemes without having to drag websites and web applications along with them.

Re:Secure?

[owlnation]

You can create a OpenID and password for each site you visit.

Sure. Of course. Um... remind me why I need an OpenID again?

Re:Secure?

[Chyeld]

The way OpenID works (the "for dummies" version) is you go to a service which supports it and tell them "I'm Joe Joe from joejoe.com". The service then goes to joejoe.com and checks for the information there that would tell the service who to contact to verify you. It could be at joejoe.com itself, it could be openid.randomguy.com. It doesn't matter.

After the service knows who is allowed to verify that you are Joe Joe from joejoe.com, it asks them to do it. How they do it is entirely up to them. They could use a password/username. They could use a 32 point authenticaion scheme that at some point requires your mom to log in and ask you questions. It doesn't matter.

Once they've verifed you are Joe Joe, from joejoe.com, they tell the service that. Now, if the service considers itself 'high security' they can always do some extra checking before it logs you in fully (and some do). But if it's 'just Slashdot' then that's all that needs to happen.

So, someone hack your account with the group verifying you? Change authentication methods.

If you are implementing your side of OpenID correctly (and no it's not a given that you are) you have control over who verifys you as you and simply need to setup a different group to do the verification. YOU are in control of that. Unlike things like MS Passport, where you have to trust Microsoft not to foul up.

Of the single login setups I've seen OpenID is the best implementation I've run into. Yes, single sign on is inheritantly less secure than multiple sign ons, ASSUMING the authentication layer is equivalent across the board.

BUT, and this is the catch, YOU pick the level of authentication with OpenID. You get to decide how secure is secure, if you think it's ok to just go with a username/password. Then that's your choice and you can do that. But if you would prefer to go 'Fort Knox', it's entirely possible for you to do so, because you get to choose who does the authentication and therefore what authentication is being done.

Re:Secure?

[Bogtha]

Fine, but what happens once somebody does get your username and password, let's say a keylogger, or one of these fake banking sites designed to steal your password. Now they can get into everything.

For practically everybody, this is already the case. At present, the username and password they need to crack are for your email account. Then they can access all your other accounts by extension via their forgotten password features.

So the downside of OpenID is a downside that is already present. Something to think about, for sure, but hardly a deal-breaker that should prevent adoption.

Re:Secure?

[swimmar132]

That's why the good openid providers have a security image that you choose (and supposedly look for).

Look at how Yahoo does it.

Re:Secure?

[Tony+Hoyle]

I logged into yahoo just now to check. No security image. That site is extremely fakeable.

And what about the yahoo IM clients? A rogue one of those could steal your password easily.

One centralised password is a *bad* *bad* idea.

Re:Secure?

[STrinity]

How could a fake banking site possibly get your openid password? You only give your openid password to one site, the openid provider.

Well banks aren't likely to use OpenID anyway. But the sort of person who falls for phishing sites is the type who uses the same password everywhere, so if the phisher gets the guys bank password, he could turn around and try it on OpenID.

Re:Secure?

[swimmar132]

The openid yahoo site, not the regular yahoo site, silly.

Re:Secure?

[Tony+Hoyle]

Either yahoo are using openid as claimed above, or they're not.

You aren't trying to suggest they're actively maintaining two different username/password databases for the same system? That's beyond insane.

Re:Secure?

[dustman]

Also, there is one 'higher class' authentication layer implemented already, mentioned on episode 107 of security now podcast http://www.grc.com/securitynow.htm :

Verisign has an OpenID implementation, https://pip.verisignlabs.com/, with a plugin for firefox that makes it easy to manage signing into sites.

Verisign's implementation is already behind the paypal and ebay security fobs, and if you get a pip account, you can buy one and use it for secure authentication everywhere. They cost $30 from verisign, but only $5 from paypal: http://paypal.com/securitykey

Re:Secure?

[Tony+Hoyle]

There's me thinking I'd be able to get a cheap security key to play with:

"The Security Key is currently not available. Please try again later."

Not inspiring if your source of login goes down randomly...

Re:Secure?

[Brian+Gordon]

Not so insane.. who cares how they do it on the backend, as long as they share accounts instead of separate ones?

Re:Secure?

[Hal+The+Computer]

https://certifi.ca/ actually offers a free provider that works with any SSL certificate. As you point out, this makes phishing almost impossible. You need a certificate from somewhere else, but there is a list of certificate providers on that site, some of which are free. There is one other provider I know of that offers this, but I couldn't get their service to work.

Re:Secure?

[Tony+Hoyle]

If they're using the same account all the claimed security just vanished - anyone who has my yahoo username and password (phishing attack, keylogger, whatever) also has my openid account. Yahoo aint that secure.. it shouldn't need to be, it's not a bank.

If they're using different accounts they just doubled the complexity of their authentication systems simply for the coolness factor (plus the claim that yahoo accounts are openid accounts is bogus).

Re:Secure?

[cybereal]

It's trivial. It is the same as every other fishing attack. When you login with your OpenID it will forward you to your OpenID provider's page to login. The phishing attack simply forwards you to their OWN OpenID page. They only need to mock up a few common provider pages (AOL, Yahoo?) and that's enough for a phishing scam.

That said, some of the nicer OpenID providers fight against this. Some offer useless features like showing you a picture you selectd out of a huge group of 7 or 8 choices :P but some have real features. For example, verisign has a provider, pip.verisignlabs.com. You have several ways to improve your security with this provider that are all optional. The first and most important is that you can disable that forwarding behavior such that you as a user must login there first before it will ever authorize a website. You then know without a doubt if you're being phished.

But even better than that is that they support those little random number generating key fobs. For $5 I bought one of these from paypal.com. It happens to be exactly the same kind that works with verisign's site as well. So I just registered it into verisign's page. Now when I login to my OpenID my password is a deterrent but even if everyone knew it, they would STILL need my keyfob to log in. After entering my password it requests a 6 digit code which is only available by generating it with the little keyfob. Think asymmetric encryption based on a time oriented physical device. It's very secure. The correct code changes every 30 seconds. Given that it's 6 numbers, it would be incredibly difficult to crack and therefore not a viable target for a cracker/phisher.

If it sounds inconvenient keep it mind that I merely need to visit verisign's page and login once for all the sites that would authenticate against it. On top of that, they offer a firefox plugin for use with the non-forwarding mechanism to give you back that convenience of auto-forwarding with the security that a local client can verify. I haven't tried it though so I can't analyze the difficulty of phishing THAT thing directly.

Now this kind of keyfob thing isn't for everyone. They also allow you to associate your SanDisk U3 enabled security USB keys with the system (all U3 devices are capable of this at least on Windows). And I think there may be one other two factor option.

The greatest part is that this security is offered automatically to any sites consuming OpenID. So now I just hope more places will let me login with an associated openid, because as it is now, my todo list is very secure (toodledo.com). Though at least one important site I visit supports OpenID logins (BaseCamp/GroupHub).

Re:Secure?

[Randle_Revar]

My yahoo login has a security image...

Re:Secure?

[Aram+Fingal]

BUT, and this is the catch, YOU pick the level of authentication with OpenID. You get to decide how secure is secure, if you think it's ok to just go with a username/password. Then that's your choice and you can do that. But if you would prefer to go 'Fort Knox', it's entirely possible for you to do so, because you get to choose who does the authentication and therefore what authentication is being done.

Or I suppose that you could have two or three OpenID accounts at different levels of security. Use the lowest level of security for membership sites like Slashdot and the highest level (with two-factor identification, etc.) for financial sites like your online banking.

Re:Secure?

[tyraen]

Well it's not like it just randomly picks a security image for you. You have to set one of your choosing on their site. They set a cookie (I believe), so the image is only good for the particular computer you are on. But phishing sites are unable to retrieve the cookie to display the image.

Re:Secure?

[cortana]

Security image, WTF? You should be checking the subject of the certificate that the site presents when you connect to it.

(Of course, this only works if you have already verified the identify of the issuer of the certificate, and trust them to verify the identities of other sites).

Re:Secure?

[Poromenos1]

Shameless plug: I have created a finance management site (www.moneygement.com) which uses OpenID for signins, and Verisign's PIP isn't working with my site. I have contacted them and verified that this is a bug on their end, but it still seems to be broken. It's too bad, because people assume it's my site that's broken, but everyone else is able to log in fine (it's probably an odd combination of my library and theirs), but I would not recommend them. Personally, I've been using MyOpenID and even recommend them for signups, they're quite good.

Re:Secure?

[Ish+Ulpin]

Secure for who though. From a user point of view it is probably OK. What about from a corporate point of view. If Google has google-analytics on each page and you also login with your Google OpenID they will be able to match up the information. All of a sudden Google, Yahoo, Microsoft will be able to match search etc information to you personally because you will be using their authentication method. They will not be breaking current laws as far as I know though as they are not storing extra information about your search only correlating information they have from your searches and OpenID use. It is a marketing bonanza for them.

Then if you extrapolate: The OpenID end points can give you targeted marketing after you login by dragging it from Google, Microsoft etc marketing companies based on the profile they have built up on you using your OpenID and searches and things like Google-Analytics. What marketing company would not pay large sums to have directed adds aimed at people.

I wonder if there are any policies about OpenID information gathering, storage and usage by companies etc. What are the privacy terms when you sign up for an OpenID? What protection is there for us from the big corporate companies.

Yours sincerely

Ish Ulpin

Support on Slashdot?

[ObsessiveMathsFreak]

But the big questions on everyones lips are: "Will Slashdot support OpenID?", and "Is Anonymous Coward already taken?".

Re:Support on Slashdot?

[Tony+Hoyle]

Oh god I hope not. I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database. If slashdot did it.. I hope we'd get a proper opt-out.

Re:Support on Slashdot?

[Bogtha]

I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database.

There's no "OpenID database", it's decentralised. If you use your Yahoo OpenID on a website, that website sends you to Yahoo, where you are authenticated against the same Yahoo database that you've always had your account details in. When Yahoo decides you are who you say you are, they send you back to the original website. Your username and password haven't gone anywhere.

Re:Support on Slashdot?

[Goaway]

There is no "the OpenID database". They have put your username and password nowhere bu their own database where they have always been.

Re:Support on Slashdot?

[Tony+Hoyle]

There is, even if yahoo keep it to themselves they need to put it in that system.

As far as putting my yahoo details into a *different* site. Not gonna happen. A site either has its own unique logon or I close the browser.

Re:Support on Slashdot?

[Bogtha]

There is, even if yahoo keep it to themselves they need to put it in that system.

What are you talking about? What system are they putting it into? The OpenID authentication on Yahoo's servers can just query the existing database that already holds your username and password.

As far as putting my yahoo details into a *different* site. Not gonna happen.

You don't put your username and password into a different site. The only thing you put into the other site is your OpenID, which is something like https://me.yahoo.com/text-of-your-choosing. There's even a new feature in OpenID 2.0 that lets you just pick "Yahoo.com" so you don't have to enter anything at all relating to you on the other site.

OpenID works very differently to how you are imagining it.

Re:Support on Slashdot?

[hayesp25]

For a web site that is supposed to be geared towards technically capable people, there are some stupid, stupid posts here. There is no "openid database". Get a clue. Single-sign on is infinitely more secure than username / password splattered across the web. If your account gets compromised, you only have to lock down a single location. You can get a review of all authentication activity across all websites that you use. I don't understand how anyone can think this is not a good idea.

Re:Support on Slashdot?

[swimmar132]

Dude, you really don't understand how openid works. Sorry.

I'd explain it better, but I have work to do. But please do read up some more on it.

Licensing

[parcel]

As Brad Fitzpatrick (the father of OpenID) said, "Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community." (from http://openid.net/what , emphasis mine)

I'm no expert on such things, but wouldn't you want an extremely restrictive license, to prevent providers from "improving" the concept and breaking interoperability? Or having the more "trusted" providers begin charging for the service? Although I suppose this depends on Fitzpatrick's definition of liberal.

Re:Licensing

[jfengel]

Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing. You get to choose any authenticator you want, and you can decide how hard you want to work on protecting your identity as it relates to any particular web site.

I use Livejournal for my openID, which is fine, but I don't necessarily trust them. They're not professional security providers, and they have a lot of other things to do. So I wouldn't use my LJ authentication when there was money on the line, but it would be fine to use it for my Slashdot login.

You get to put all your eggs in one basket, and then make sure it's a really good basket. But you and I aren't required to put out eggs in the same basket, so if I use ReallySecureID.com and it gets hacked, your login at NoSeriouslyTotallySecureID.com will still be safe.

And more importantly, we'd no longer be trusting each and every web site we dealt with to be safe with our passwords.

Re:Licensing

[Tony+Hoyle]

Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing.

Now I have to pay someone? It's looking like the verisign monopoly all over again.. Pay them $500 a year and if you can't pay them next year lose your identity, just like the way SSL works at the moment.

OpenID has no issues with this???

Re:Licensing

[izzo+nizzo]

this widespread adoption is great news - just get Microsoft off that board and we'll be good to go. passwords are by far my biggest problem with the web.

Re:Licensing

[Bogtha]

No. You misunderstand. Again. If you aren't trolling, please just go and read an OpenID tutorial or something before posting more silly comments.

Some OpenID providers will only offer the bog-standard username and password authentication. Some OpenID providers will offer better security, for instance via client-side SSL certificates, swipe cards, etc. The people who want this extra security now have the option of going to a premium OpenID provider as opposed to a typical OpenID provider, and all the websites and web applications that accept OpenIDs will be more secure for these people without the websites and web applications having to do anything special to accommodate you.

You, as a security-conscious user, can seek out more secure forms of authentication by picking a better OpenID provider. And you can do this without the websites you use doing anything more than implementing standard OpenID. This is what jfengel is referring to when he is talking about paying for an OpenID.

And no, switching away from an OpenID provider doesn't mean you will lose your OpenID. Switching providers is something that OpenID handles through delegation.

Re:Licensing

[Randle_Revar]

I use myopenid.com as my openid provider. However, my openid is http://www.clowersnet.net/~krc/. If myopenid.com does something I don't like, I create an account with a different provider and change two lines in my website to point to my new provider. My new provider could even be my own server. Everything else keeps working as it did before - the openid consumers I have logged into don't even know that anything changed.

You know, instead of throwing out random arguments, and letting everyone else shoot them down, you could just read up on openid and get most of these answers yourself. Then if you still had unanswered questions, you could ask someone.

Re:Licensing

[wertigon]

Yes, you *might* have to pay for this. Just like you *might* have to pay for any other service.

Look at it this way; there are web hotels out there that charge nothing when you put up a site with them, but will display ads on your page. These hotels usually have very limited options. And then there are web hotels that costs money, and lets you put up a small phpBB forum or somesuch. Finally, there are the dedicated server options, for those who really needs it.

OpenID is basicly the same thing; if you want to trust your account to a crappy provider, then that's your decision, but the more reputable, won't-go-down-even-if-world-is-destroyed OpenID providers might still decide to charge for it. Simple as that.

Thanks Instatrace!

[Itninja]

And We've just had a very generous donation of $10, 000 but the caller didn't leave his name, but thanks to Instatrace we now know that it is Homer Simpson of 741 Evergreen Terrace. Oh, why did I register with Instatrace?

Karma whoring...

[apathy+maybe]

mylid.net - lets you get a free OpenID and LID thingy.
http://siege.org/projects/phpMyID/ - PHP script so that you can run your own ID thingy. Under your control.

And yeh, I now have access to two OpenID's from Yahoo, but personally, I think I'll be doing one of the above two whenever this OpenID thing becomes more popular.

Op out

[esocid]

If there is a broad implementation across these sites would there be an opt out option for those who do not have an OpenID or would I actually be forced to gain one in order to go about my business? This sounds like the REALID of the intarwebs to me.

Re:Op out

[DaftShadow]

I thought that too at first, and then I "got" it: Right now, every website I go to, I create a new account. New account, new password, new entry in my passmanager. I usually use the same login name/user name, for simplicity's sake. You probably do this also.

Now, I can use OpenID to stop dealing with my passmanager! I can get the same login name everywhere. If I want the simple route, I simply use diggity.myopenid.com. If I want the advanced "I control it all" route, then I can host it myself using phpMyID (although that makes it a fair bit less anonymous :).

The best part though, and I think this is where you are confused, is that you can create as many OpenIDs, using as many providers, as you want to keep track of! You could have ten different logins to Slashdot if you wanted. You can have that already right now, but OpenID allows you to take this the extra step and take any of these logins with you to any other site in the future. If you want extra security, you can use a provider in a foreign country that deletes all logs, never tracks IPs, and understands full deniability. Whatever. This is totally up to you!.

- DaftShadow

Re:Op out

[esocid]

Thanks, that does clear things up a bit. I didn't realize how far down the rabbit hole the complexity of this actually goes. I didn't know either that you can host all your identities rather than giving it to a third party to handle, I was under the impression that it was just another 3rd party that controlled it all. After looking into it more and more it does look like a good alternative to current systems. I'll definitely check out the phpMYID and see which method I like.

Re:Op out

[Tacvek]

I thought that too at first, and then I "got" it: Right now, every website I go to, I create a new account. New account, new password, new entry in my passmanager. I usually use the same login name/user name, for simplicity's sake. You probably do this also.

Now, I can use OpenID to stop dealing with my passmanager! I can get the same login name everywhere. If I want the simple route, I simply use diggity.myopenid.com. If I want the advanced "I control it all" route, then I can host it myself using phpMyID (although that makes it a fair bit less anonymous :).

The best part though, and I think this is where you are confused, is that you can create as many OpenIDs, using as many providers, as you want to keep track of! You could have ten different logins to Slashdot if you wanted. You can have that already right now, but OpenID allows you to take this the extra step and take any of these logins with you to any other site in the future. If you want extra security, you can use a provider in a foreign country that deletes all logs, never tracks IPs, and understands full deniability. Whatever. This is totally up to you!.

- DaftShadow Excellent explanation. However, you did not mention the mid-layer possibility. In that case your OpenID is actually a url on a site you control, but points to a different site to do the actual authentication. A week later you decide you don't like that site's authentication, you make a small change to the page on your site, and then use a different site's authentication method.

SHA1 signing? I think I'll pass.

[rock217]

After reviewing the OpenID RFC I was a little dissapointed to see that messages are signed with SHA1, or SHA256 (if supported.)

To me, this suggests that the majority of OpenID supported sites/providers use SHA1, of which rainbow tables have been available for some time. I think with this in mind, man in the middle becomes a legitamate attack vector, so if I can man in the middle you to determine your MAC, then I can impersonate you on any OpenID supported site?

Yea where can I sign up for _this_, and should I use my SSN as my MAC key?

Re:SHA1 signing? I think I'll pass.

[Kickersny.com]

Breaking news! Any password hashing can be broken! Details on the pigeonhole principle at 11.

Re:SHA1 signing? I think I'll pass.

[Goaway]

SHA1, of which rainbow tables have been available for some time. Rainbow tables are not dependant on the specific hashing algorithms. They are a generic algorithm for breaking any hash.

More Info Here

[mpapet]

http://www.plaxo.com/api/openid_recipe

As someone that used to work for a company that developed strong authentication systems, I can tell you that big-business has been having some kind of orgasm about this for quite a while now.

The typical big-dreamer sees "identity" as a problem of too many logins/passwords. Yahoo and IBM have different customers, but similar goals simplifying authentication/identity for their customers. As usual, Microsoft is conspicuously absent because they think they've got the proprietary solution already.

Re:More Info Here

[qw0ntum]

Um... it seems that Microsoft is on board, actually, according to the article.

Though I do admit that it is a bit surprising. :)

Re:Like Microsoft's Passport,

[Vectronic]

"Open" and "Trust" or more specifically "Security" are sort of oxymorons, especially when it comes to "Open Source", Open Specifications, fine, thats generally just "it should accomplish this, but by what means is up to you"

If its Open Source, that pretty much means that, you yourself can either look at the code that handles security itself (encryption, where and how it stores keys/passwords) or you probably know someone who can, without very much, if any retribution if said security is broken, who's accountable? Those 30 people over there---> or these 30 people over here? omg what about them?

The security on proprietary code isnt exactly better, however you can almost always say "it was Bob, he handles those 80 lines of code"

I'll probably get -1 Flamebate, but it just sort of seems like common sense to me...

Well...

[samael]

Everyone with a Yahoo ID has one. Everyone on Livejournal has one. Everyone on AOL has one.

So that's a fairly large number of people.

Re:Well...

[Tony+Hoyle]

So anyone with a yahoo ID can log into AOL?

Doubt it.

Re:Well...

[FesterDaFelcher]

Why would having an OpenID with one service allow you to log into another service, regardless of rights? Please think before posting.

Re:Well...

[Bogtha]

No, you are mixing up OpenID providers with OpenID relying parties. Yahoo and AOL are both OpenID providers, which means that if you have an account with them, then you have an OpenID. The sites you log into are OpenID relying parties, which means that if you have an OpenID you can log into them.

Yahoo and AOL don't have any services that are OpenID relying parties as far as I know (AOL say they are "actively working on it"). But you can use Yahoo and AOL OpenIDs to log into an OpenID relying party, for instance, if you have an AOL account, you can use your OpenID to log into LiveJournal, which is an OpenID relying party.

Re:Well...

[Tony+Hoyle]

Thank you for making precisely my point.

Both AOL and Yahoo *already* have perfectly functional login systems.

OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users. So their alleged use of openID is completely, utterly and totally pointless. They've gained nothing, the end users have gained nothing.. but it makes for neat headlines.

Re:Well...

[FesterDaFelcher]

They've gained nothing, the end users have gained nothing

Users HAVE gained something. From the openID website: "With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins." Key word here is CAN. It doesn't mean that once you have an openID you immediately have access to any site that uses openID. There are still permission structures.

Thank you for making precisely my point.

If you wanted to make the point that AOL and Yahoo don't want to share users, make that point. But don't say something that is totally incorrect, and then feel like you "got me" in your trap to make a different point altogether.

Re:Well...

[Bogtha]

OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users.

According to the AOL developers' blog, they are actively working on making their products accept OpenID, and even if they weren't, just because AOL wants a walled garden, it doesn't mean nobody else can become a relying party. There's plenty of utility in OpenID even if all the big players are only providers.

Re:Well...

[rubah]

Everyone with an LJ id could log in and make comments on Deadjournal when entries called for users to be registered and vice versa.

Re:Well...

[Tony+Hoyle]

But that *is* the point.

One identity across the internet is the goal.

It's am impossible goal because nobody wants to share their user information with anyone else. That information is worth money, not to mention the privacy (and, in some countries, legal) implications.

Therefore openid just becomes a different way for Yahoo to store its usernames, and a different way for AOL to store its usernames. That may have value in itself.. but it isn't the holy grail some at slashdot seem to think it is, and not affect end users *at all*.

OpenID would work in a world where everyone was happy with openly sharing this information. That world does not exist.

Re:Well...

[Tony+Hoyle]

Presumably all AOL websites already accept AOL IDs. Now they accept AOL OpenID IDs instead. Big woop.

Re:Well...

[Bogtha]

Now they accept AOL OpenID IDs instead.

No, now all OpenID relying parties accept AOL accounts. Please stop misrepresenting the situation.

Re:Well...

[Jobe_br]

No, listen. You're wrong. This has nothing to do with sharing users, it has everything to do with YOU not having to create YET ANOTHER LOGIN. OpenID is about YOU not about the companies implementing it sharing users.

This isn't a trivial thing to understand and I encourage you to read up on OpenID.

Here's, in a nutshell, what it means. You have a Yahoo! or AOL account (so, you have a login & password, that you can remember). When you want to start using a product at 37signals, like basecamp or highrise, or whatever - you can CHOOSE to use your OpenID. You still have to sign up with 37signals, you still have to PAY 37signals, but you don't get another login & password.

When you provide your OpenID to 37signals, the APIs they use will ask your OpenID provider (e.g. Yahoo! or AOL) if you're authorized, your OpenID provider will ask YOU if you want to authorize 37signals, and you'll say YES.

That's it. Trust is setup, you've been in control the whole time, and now you can access your 37signals account without ever having created a new username & password.

It really, really is powerful. And it really, really is not trivial or necessarily easy to understand. But it works, and folks are getting on board with it.

Cheers,
[/rant]

Re:Well...

[FesterDaFelcher]

Good summary. I think OpenID would do well to produce a well made flash video describing the situation, with creating an OpenID, signing up at multiple sites. Describe what data is shared (none), and what the benefits are to the user. I've heard too many times, "I don't want all of these websites to have my private information." That's not at all how it works. Private info would still need to be entered at each site, but the overall login would be the same.

Re:Well...

[c_g_hills]

Unfortunately some sites treat OpenID users as second-class citizens, and sadly LiveJournal is a good example of this. A user who has an OpenID account on LiveJournal cannot:-

• keep their own journal
• join a community
• comment on posts that have restricted comments to LiveJournal users

I hope that they will change this policy in future.

Re:Well...

[mdwh2]

One identity across the internet is the goal.

No it isn't - you seem to be complaining that as long as there exists one site where OpenID can't be used, it is useless.

Which is rubbish - as long as some sites support it, it is useful in that I no longer need as many logins. I already use my LiveJournal openID to post to other forums (and also allow blog posters to let me see non-public posts). It's a shame Slashdot doesn't support it. Plenty of sites support OpenID - just because Yahoo and AOL don't properly is beside the point.

Re:Well...

[mdwh2]

keep their own journal

I don't think that's too much of a problem - if you're using a site enough to be doing something like keeping your own journal, it's not too much hassle to get an account. It is hassle to get an account just to make a single comment, which is the major hurdle OpenID overcomes.

join a community

I agree, this limitation seems a bit strange, especially as they allow OpenID users to keep friends lists.

comment on posts that have restricted comments to LiveJournal users

Although that's a choice that's up to the journal owner. They had to have that really, as originally there was the option to disallow anonymous comments, but for backwards compatibility, I think OpenID would have to fall into the same category. But it would be nice to have an option that says "Allow LiveJournal or OpenID comments, but not anonymous".

Re:Well...

[Tacvek]

keep their own journal

I don't think that's too much of a problem - if you're using a site enough to be doing something like keeping your own journal, it's not too much hassle to get an account. It is hassle to get an account just to make a single comment, which is the major hurdle OpenID overcomes.

join a community

I agree, this limitation seems a bit strange, especially as they allow OpenID users to keep friends lists.

comment on posts that have restricted comments to LiveJournal users

Although that's a choice that's up to the journal owner. They had to have that really, as originally there was the option to disallow anonymous comments, but for backwards compatibility, I think OpenID would have to fall into the same category. But it would be nice to have an option that says "Allow LiveJournal or OpenID comments, but not anonymous". But setting up an OpenID server that automatically authenticates anybody who types in that url (does not attempt to verify identity) is trivial. Any such URL is then an anonymous OpenID. That more or less would defeat the point, would it not?

Re:Well...

[gronofer]

This isn't a trivial thing to understand and I encourage you to read up on OpenID.

I read up on OpenID and considered implementing it on a website. However I came to the conclusion that it was undesirable, since a user would be completely dependent on their OpenID provider. If it was off-line, or closed down for good, they would lose their access to my site too.

Re:Well...

[mdwh2]

True, I guess that explains why they allow restricting of comments to LJ accounts and not OpenID.

Re:Well...

[sarabob]

Depends on what 'the point' is, really.

Arguably an OpenID server which authenticates everyone automatically is equivalent to using mailinator or bugmenot?

Re:Well...

[Jobe_br]

... for good

Really? How about a simple email to support, or a form in your app that allows them to setup a username/password in the event that happens? Doesn't seem like that's a big deal. And you've determined its undesirable for your users, assuming that its more desirable for them to setup yet another login that they need to store/remember for your site.

Adding yet another account to the difficulty of keeping all their accounts secure. If a user wants to be security conscious and change their account passwords regularly, you've made it that much more difficult for them to do that.

But, its your site, your app, that's cool. This is going to become a bigger deal, though ... I think so at least (and we're all entitled to our opinions, eh? :)

Cheers and thanks for responding!

Re:Well...

[gronofer]

Really? How about a simple email to support, or a form in your app that allows them to setup a username/password in the event that happens? Doesn't seem like that's a big deal. And you've determined its undesirable for your users, assuming that its more desirable for them to setup yet another login that they need to store/remember for your site.

I don't think it would be very secure, if anybody can request a new username/password for an account. Why bother with passwords at all?

I don't find it very desirable to set up yet another login. In fact I was hoping to avoid the need to code a username/password system at all, and rely completely on OpenID. However it was the thought of having to use a 3rd party authentication system, even for my own login to my own site, that made me reconsider. Sites on the Internet come and go, and OpenID itself may fall into disuse some day.

If I also have to set up my own login system, as backup for OpenID, then supporting OpenID doesn't save any work after all.

Re:Well...

[Jobe_br]

You would have other information from your customer (payment?), and it wouldn't have to be automated, you could use a support email address, so really, security is a non-issue for that.

And read your post again ... you're still talking about everything except that OpenID is a benefit to your customer.

if you "improve" the standard

[circletimessquare]

in such a way that you break interoperability, you've effectively negated the value of your "improvements"

maintaining interoperability is not something that has to be an active policy matter. it maintains itself out of inertia. the network effect

no one wants to use a standard which means you have broken contact with the vast majority of users

Re:Like Microsoft's Passport,

[Tony+Hoyle]

Any security system that can't handle someone looking at the code only has the illusion of security and should be junked - ssh has had people looking at it for years and is still considered secure. So has kerberos.. so much so that Microsoft used it as the base for active directory.

You do know that pretty much every proprietary package out there goes out with a license that says the producer has *no* liability if it fails? The 'who to blame' argument is utterly bogus. You want things fixed, and fixed fast, not messing about trying to point fingers.

Kind of funny with

[ericrost]

the story two up.

Isn't this a single point of failure to steal your entire online identity (which in my particular case might be just as bad as stealing my offline identity)?

How is this a good idea. One signin that (if I implemented this on my local machines) would allow access to not only my VPN, mailserver, web server, but also my bank account, mortgage, and any other personal details that are stored in any publically accessible server?

Seems like a bad idea to me, and I'm a F/LOSS advocate. I just like distributed points of failure in any design (as an engineer).

Re:Kind of funny with

[swimmar132]

then create multiple openids? one for each category of safety that you need?

i.e. one for facebook/myspace/blogging/flickr/etc, and another for banking information.

Re:Kind of funny with

[Tony+Hoyle]

If you're going to do that WTF is the point of openid?

Re:Kind of funny with

[ericrost]

Well, I see the point that you could manage facebook/myspace/livejournal/yahoo.... with one openID, still a reduction there, then your cc's/bank/mortgage... with another. This is why I ask these questions. Use it for reduction in uneccessary duplication, but leave duplication where necessary. Thanks GP for the reply! :)

Re:Kind of funny with

[Tony+Hoyle]

A lot of people do that anyway for low priority accounts.. so you don't really gain.

There's no way my bank, cc, etc. details would be on openID - I trust my bank and my bank alone with those details.

Re:Kind of funny with

[Goaway]

Isn't this a single point of failure to steal your entire online identity No.

How is this a good idea. One signin that (if I implemented this on my local machines) would allow access to not only my VPN, mailserver, web server, but also my bank account, mortgage, and any other personal details that are stored in any publically accessible server? That is a very bad idea, which is why OpenID is none of that.

Re:Kind of funny with

[Xtifr]

Creating a handful of accounts based on roles is still a big win over creating a separate account for each and every service you might need. Having five accounts is more trouble than one, but a lot less than having fifty. So, basically, you can dial up the level of consolidation/complication you need.

A lot of people like to keep their work and personal lives separate, so, at a bare minimum, a lot of people will want at least two sign-ons.

Re:Kind of funny with

[Tony+Hoyle]

Explain why it's 'none' of that.

Sure, nobody with intelligence higher than a rabbit would implement it on something secure like a VPN, and banks have much better systems in place already.. but he was only giving examples. The amount of damage someone could do just posting on websites or blogs under your name is huge.. carreer ending, even.

Re:Kind of funny with

[ericrost]

And have you done a security audit of your bank (and your bank alone) to determine if they are handling those details correctly? What would your recourse be if your bank lost or had those details stolen?

I'd trust a general purpose security organization to be:

1. More transparently and honestly audited on a regular basis.
2. More accountable in case of loss.
3. More careful in general about it since its their core competency.

Re:Kind of funny with

[ericrost]

Heck the amount of damage !I! do to my online identity posting as myself is huge, I would hate to think what someone else would be able to do... wait, maybe I should let others post as me, it could do my career some good /sarcasm.

Re:Kind of funny with

[CodeShark]

I think you miss the point of an OpenID in active use.

Basically what the framework does is to let me -- by my choice of OpenID providers (or if I become one) to basically have a trusted source that basically says "the person using this account has been authenticated by OpenID provider XYZ. I don't have my provider set up (via the PHP implementation) yet, but when it is operational, what I can do is connect to other OpenID enabled sites that accept provider URLs (the relying parties) and never type a plain text password, etc. into their site, as (to my knowledge, which is not great at this point but I am studying it now) the authentication takes place at the header level and is or at least can be encoded. The authentication itself doesn't contain anything about my online identity, so there's really nothing to steal.

Re:Kind of funny with

[mdwh2]

Isn't this a single point of failure to steal your entire online identity

In the same way that a single email account is a single point of failure.

Lots of people do fine with just one email account. Some have a few email accounts for different purposes. I know no one who has an email account at every single email provider they want to send to...

I wouldn't use OpenID for banking. But if someone hacking my LiveJournal also means they can post to Slashdot as me (if it supported OpenID), then - I don't think that's quite comparable to stealing one's identity.

Re:Quite possibly

[benjymouse]

Talking about FUD, it seems you are the guilty one here. here is some facts for you: 1) Passport has nothing to do with CardSpace. 2) CardSpace does not rely on Active Directory. Totally false FUD. CardSpace (as implemented in IE) insists on using a seperate "desktop" to avoid potential spoofing when you decide which card to "hand over". The "cards" are NOT kept in AD. Plugins exists for FF as well. 3) CardSpace is a totally open protocol which - unlike OpenID - ensures your anonymity across websites. 4) CardSpace is compatible with OpenID. It is not a competing technology; they complement eachother. In other words your CardSpace card can be OpenID based; it all about the "claims" part. Kim Cameron actually wrote the "laws of identity". Before being hired by Microsoft. Have you read them? Do you disgagree with any of them. Do you feel they are incomplete? Part of spreading FUD is playing on uncertainty by not being concrete in critisism. That way you can avoid rebuttals. What is your problem with that #7 item here? Please?

How openID works

[Hal+The+Computer]

You don't understand how openID works. There is no central database, if you try to login to site.example.org, you give it your username, it redirects you to your provider's website (e.g. openid.yahoo.com), where you authenticate. The provider then sends you back to the original website. Your password is safe as long as you don't fall for a phishing attempt and as long as your provider (yahoo) doesn't screw up.

A more detailed explanation is available.

Re:How openID works

[Tony+Hoyle]

"as long as you don't fall for a phishing attempt"

That's a big if. People fall for them every day.. now you're saying that they should be encouraged to have the same password for multiple sites *and* expect any site they access to redirect somewhere else to enter your details, that looks a bit like the yahoo/aol page.

Re:How openID works

[Hal+The+Computer]

Which is completely irrelevant to your original point. You don't need to opt out of openID, just don't use it if you don't want to.

There are many good ways to fix the problems with passwords. A shared secret (e.g. an image or a sentence) that your provider only shows to you (several banks do this, I'm not aware of an openID provider which does).

Or you can remove the password entirely. There are providers that use client-side SSL certs (my choice), one time passwords or "click on the correct picture(s)" in order to log on. All of which might not work. You can only do so much to protect people from themselves. If they run programs they receive by email, all bet's are off.

Of course, your entire argument assumes that people have different passwords for different sites, yet fall for phishing attempts which don't reveal the important passwords.

Re:How openID works

[mdwh2]

now you're saying that they should be encouraged to have the same password for multiple sites

No, you use the same account for multiple sites. Not the same password for multiple sites. Just like I use the same email account for multiple people.

Before OpenID, the situation for websites was as if you needed a different email account for every different email provider where there was someone you wanted to contact. So in order to email someone at gmail, I'd need a gmail account; to email someone at yahoo, I'd need a yahoo account.

Then imagine someone proposes a revolutionary idea where people with gmail accounts can email people at yahoo. You are the person going "But but, now my password will be used for multiple sites! If someone gets my single email password, they'll be able to email anyone at both yahoo and gmail and elsewhere!"

Now I don't know about you, but I'd rather have a single email account, and just make sure I keep that _single_ password and _single_ account safe.

Where are the websites?

[shabble]

Ok - so now we've got some more big names to supply the credentials - where are all the big names actually using the credentials to log into their websites?

Can I use OpenID, say, to log into Slashdot? Yahoo? AOL? Google?

Re:Where are the websites?

[Tony+Hoyle]

Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.

Re:Where are the websites?

[flink]

Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.

I don't use Blogger, but when I went to their join page, it let me sign in with my Google account, so for new accounts anyway, it seems they are the same.

Also, as of January, Blogger is an OpenID provider.

So Google has in effect already done it, you just have to go through the hassle of creating a Blogger blog using your Google id and enable OpenID in your Blogger preferences. At that point, you should be able to use your Google account as an OpenID with Blogger as the ID provider.

Re:Quite possibly

[quantumplacet]

Yea, I was wondering if I was missing something there. I read the article and all the comments in the gp link, and basically I see Kim Cameron trying to explain what seem like some pretty reasonable security issues to some retard who keeps insisting that the current system is perfect because he knows how to read the address bar and certificate dialog....

Re:Microsoft passport with a new name?

[Ilgaz]

Horah! Now the FBI can track me everywhere!

MS tried OpenID like service and failed miserably because industry giants like Sun, Novell (while they were real), IBM and every privacy organisation you can imagine have put their pressure against it.

Regarding FBI and if you are American citizen or any foreigner who made someone mad enough to get court order from American court, they don't need such "sci-fi" things like OpenID. Right papers presented to some lawyers is enough.

"In the event that SourceForge becomes aware that site security is compromised or nonpublic user information has been disclosed to unrelated third parties as a result of external activity, including but not limited to external security attacks, SourceForge shall take reasonable measures which it deems appropriate, including but not limited to internal investigation and reporting, and notification to and cooperation with law enforcement authorities, notwithstanding other provisions of this Privacy Statement." (click "Privacy"

If MS "Passport" (the REAL one, not current) worked, that was the time we would get real afraid. There could be things like "Not using Windows and IE? You can't read your mail". "We use Passport service to fill your taxes, please create an account".

If people focus on such real threats rather than clueless "M$" bashing, they would see real threats every time MS innocently proposes some standard. MS Passport you see today is a dinosaur evolving to a little bird after USA law system warned "don't even try".

Re:Like Microsoft's Passport,

[Xtifr]

In addition to the excellent rebuttal offered by Tony Hoyle, I have to point out this flawed logic here:

If its Open Source [...] if any retribution if said security is broken, who's accountable? With 99% of all popular FLOSS, you can find out who's accountable by checking the public revision control, to see exactly who wrote those broken "80 lines of code." With proprietary code, you usually can't even find out what, exactly, is broken, let alone how and which lines of code are responsible. This makes FLOSS a Big Win for security apps.

In those rare cases where there isn't a public repository, it's usually because the code is a one-man operation, so again, assigning blame is pretty easy.

In the case of FLOSS binary packages, you can also start by checking the key used to sign the package; that will tell you not who's responsible, but who has volunteered to accept blame, which is not a bad place to start. Once you've got that, you can also optionally go on to check the source repository if you want to assign some more appropriate and/or specific blame.

With most proprietary software, you can't even necessarily guarantee that what you installed came from the vendor you thought it did.

And of course, with FLOSS, if you can find the problem (and it's hard to fix a problem you can't find, no matter whether the code is open or closed), you can arrange to have it fixed on the systems under your control without waiting for the vendors to get their act together to package up and publish a fixed replacement. This may be more work than it's worth for a lot of ordinary apps, but for security apps, it can be an absolutely vital feature. And for non-FLOSS (or at least, for non-source-available systems), it's not even an option.

Re:Microsoft passport with a new name?

[Tony+Hoyle]

The old MS Passport and OpenID are basically the same but instead of having one humungous database controlled by Microsoft, you have dozens of humungous databases controlled by Yahoo, AOL, Verisign, etc.

It has the same issues - each one is a point of failure that means if compromised your online identity is at risk. We do it with credit card transactions right now.. because banks have a vested interest in making sure transactions are secure - loss of confidence in online transactions would cost them millions.

To even redirect to online payment systems you have to go through some pretty rigorous security checks... Not so with openID, which anyone with a linux box and 5 minutes can start trying to ping the databases for likely IDs and passwords (you can bet that all of these databases are going to have near constant dictionary attacks against them - I see nothing in their proposal that isn't easily scriptable). This was previously unfeasable due to the sheer number of websites and accounts out there. If this takes off it'll be hacker target #1.

Re:Quite possibly

[Tony+Hoyle]

Wasn't just me then. I read comment #7 and wondered if the one he was on about had been deleted because it looked OK to me..

Re:An Incredibly Bad Idea

[Randle_Revar]

Too late, I already have one, and I find it to be very useful.

Re:Quite possibly

[Burz]

This is not about who stores identity info. Its about who controls the dominant authentication mechanism.

How 'nice' that Firefox can have Cardspace plugins added to it... too bad most will consider the lack of native Cardspace support a nuisance at best. This is a primary benefit that MS gets by moving important 'rituals' like Web logins out of the browser and into the OS (where they don't belong).

Most of the technical material I found at Microsoft dealt with Cardspace using AD via Passport and seems to be the cardinal configuration the company uses to demonstrate and instruct WRT Cardspace deployment. I'm sure there are other examples, of course.

Yahoo! Stores identity information centrally... my money is on MS keeping that model after merger, and moving the central database to AD.

---> there are techniques through which the evil site can overwrite the address bar and the status bar, so you have no idea what is going on beneath the pixels. ...

---> there are all kinds of tricks that can be played with the URL. Even when it is intact, your DNS-to-ip mapping be distorted by an attacker. Client Side Java script can cause all kinds of nice visual effects I will leave to your imagination; cross-site scripting attacks mean even if you use a certificate and land at the right site, buried frames may continue to be able to do nefarious things under your identity, and so on. These are all attacks that are seen regularly. Your recipe would leave you totally vulnerable. That's when Cameron went from insinuating https is easily attackable to baldly stating it. But he can't point to studies or examples of these attacks because they don't exist, and IMO pointing to his "ID Laws" platitudes does nothing for the argument. The attacker has no interest in throwing up a deceptive IFRAME that looks like an actual SSL warning, because... you know... they don't want to alarm the user. His assumptions about what constitutes a potentially successful attack seem pretty specious. Re-drawing the address bar?? C'mon... I'm supposed to assume that A) the system already has malware on it to manipulate the browser, and B) that IE6 swiss cheese is a suitable security benchmark for proposing new authentication standards.

I don't have any problem with Cameron's ID Laws specifically, only that they are being used to sugarcoat a security implementation from an abusive monopolist which absolutely cannot be trusted to avoid exclusionary strategies.

Do NOT move web authentication into the monopoly product!

Read the spec first

[amck]

I think you haven't grasped what this is. It Isn't like MS Passport, where one other service knows your
password and can pretend to be you. Its a protocol that anyone can implement. For example, I've implemented it
on my blog: when I login, I authenticate myself (e.g. enter my password) on my blog and it identifies
me to whatever website or service I log into.

Secondly, don't take "single sign on" too literally. You can, and are expected to, have multiple accounts,
just not the practically 'infinite number' on each web site.

Right now, I have a slashdot account, which has my name, etc. I the openid world, I might use my
openid identity "http://blog.sceal.ie/Alastair" to log into slashdot, and technorati, and gmail, etc.
None of them see my password. When I login to slashdot, it 'redirects' to blog.sceal.ie, which (does something to verify me)
and then redirects back, with a message of 'hes Alastair, ok'.
Only my website, blog.sceal.ie gets to see how I identify myself.

Now, I may also have other OpenID 'IDs', such as "openid.net/anon1234" or whatever, which I can use for
porn sites, anywhere I don't trust, etc. They don't get to see my real name, or tie me back to any other IDs.

I might also get some IDs via organisations I work for. E.g. If I work for Oracle, then I could also have an openid
"oracle.com/Alastair.McKinstry" to login to Oracle websites. When I leave Oracle, then they can get to cancel that
account.

But its called OpenID because its not based on trusting one organisation.

Re:Read the spec first

[soren100]

I think you haven't grasped what this is. It Isn't like MS Passport, where one other service knows your
password and can pretend to be you. Its a protocol that anyone can implement. I grant you that open ID sounds better than Passport, but you still have the fact that it's major companies pushing this product rather than the demand from the people. Microsoft's failed "Passport" program shows that people didn't really feel like they needed that program, even with Microsoft trying to stuff it down their throats by tying the "passport" in with MSN, Hotmail, etc.

The problem with a system like this is the issue of trust, and no one trusted Microsoft. I am sure some people are still using "passport", but it's nothing I have heard about in a long while.

First off, a single point of failure is still a single point of failure no matter how you implement it, but the second point is that the US government has been getting more and more intrusive by the month. Just a few stories below this one on the front page of Slashdot is a story about US border agents copying data off equipment going across the border and insisting that it is their right to do so. (All in the name of "protecting" you, of course). A few stories above this one is a story about the RIAA thinking it's not enough that AT&T is going to try to scan the entire internet for copyright violations, they want to put a filter right on your PC so you can't use encryption to get around the internet filter.

So once this single point of failure becomes widespread, then it would be trivial to make a law requiring all Open ID servers to authenticate to a government server -- you know, to "protect the children" from online stalkers, or stop "terrorists" from entering Second Life. It sounds ridiculous, but so is requiring a government ID to buy cold medicine (again, it's only for your own protection). Once you get enough big corporations signed on and enough people using this, then you can start requiring everyone sending email to authenticate to one of their servers to stop the spam problem, for example. Then your own little authentication server would suddenly not be good enough.

So even though it sounds ridiculous, there are plenty of precedents. When the Social Security card was introduced, everyone swore up and down that it would only be for getting benefits, that it would never ever ever be a national ID number. Of course, now you can't rent an apartment, buy a house, get utilities turned on at your residence, or get a cell phone without using that national identification number for authentication. Most of your transactions through credit or debit cards are also attached to that national identification number. You would think it's ridiculous that the US government says that it is worried that people might be conducting "terrorist activities" in Second Life, but it's true.

Getting back to the issue of trust, once the US government decides it needs to "trust" any authentication server "just to be sure you're not a pedophile or a terrorist", the frog is cooked. You might think it's paranoid not to trust a system like this, but large corporations (RIAA, AT&T, etc) and your own government are showing extreme levels of paranoia about your online activities right now, and the corporations have shown that they are very willing to sell your rights and privacies for a buck (or go to prison like the Qwest CEO if they refuse). So go ahead and trust these organizations that don't trust you -- but if you want to see how this is likely to end up, just go ahead and try to do anything important in your life without using your SSN as a national identification number. This system will only be "open" as long as it takes to get everyone to use it. If you still don't believe me, go try to buy real cold medicine without using any ID connected to your SSN.

Re:Read the spec first

[amck]

I've never had any problems buying cold medicine without ID, but then, I'm Irish, not American. (Hint: .ie = Ireland).
The only 'single point of failure' here is the protocol, which has been studied. Examine it for weaknesses.
Same problem as for, eg. SSL. Are you advocating multiple protocols?

Govt insisting on one trackable OpenID: yes it is rediculous. You need to think the protocol through.
I connect to a website https://www.foo.ie./ Do something. Then I connect to https://www.bar.com/
foo.com and bar.com may communicate, using encrypted comms.
For the (US) govt to even know that some OpenID is involved means reading all the encrypted communications.
Insisting that the openid I have at foo.ie authenticate against a govt server', how?
foo.com is my server in Ireland. No jurisdiction.

Not only can you get plenty of openid accounts outside the US (or wherever), any attempt to enforce one
openid will backfire. The protocol specifically allows sites to reject 'valid' openids.
Just because you have a valid openid 'gov.us/John.Smith' doesn't mean it will be accepted by my website:
I can reject you saying "Please get a non-government ID; free IDs available at https://overseas.com/"

And I will do so. I am not beholden to the US government, and neither is the internet.

When will the big players accept other's OpenIDs?

[harlows_monkeys]

I've got at least two or three OpenIDs now. One I paid for (actually an i-name, but those work as OpenIDs in OpenID 2), and one for free from AOL because I have an AIM account. Yahoo will give me one because I have a Yahoo account.

OK, that's nice. But how do I get Yahoo to accept my i-name or my AIM OpenID? On Yahoo's OpenID setup page, I only see options for creating my Yahoo OpenID.

I'm not going to count the big players as embracing OpenID until I can tie any one of my existing OpenIDs to my account.

Now if only Livejournal would actually use openid!

[textureglitch]

Seriously.

We've been waiting for over two years for Livejournal to let OpenID accounts be linked to your existing LJ account. How the hell can you take someone seriously who is trying to push an idea on everybody else that they won't even implement themselves?

OpenID Myspace (for example) Proxy?

[holomorph]

I'm going to use myspace as an example here of a site which does not support OpedID (last I checked), but this is applicable to many others:

I have a friend who has his blog on his myspace page, which I like to read; I would like to post comments, but I can't do that without a myspace account, but I really *don't* want to sign up for myspace just so I can post on his blog. My idea is, assuming myspace is not going to start supporting openID posting any time soon, what if there were a site/service which would sign up for a myspace account, and then I could use my openID to sign in there and post on my friend's blog through that services account. This same account would be "shared" by anyone who wants to post using their openID account instead of signing up for an account on myspace just to post a comment on a blog. The "proxy" comment would have to be posted by the service of course, with something indicating the openID of the poster.

I'm sure someone can think of a reason why this is a terrible idea and could never work, but it would sure be nice and maybe would encourage such sites to support openID postings directly.

Re:Quite possibly

[benjymouse]

So, you want to see an actual example of a site with a seemingly perfectly valid SSL certificate but still sporting an exploit? Look no further than here: http://news.netcraft.com/archives/2008/01/08/italian_banks_xss_opportunity_seized_by_fraudsters.html. This is just a recent example.

This one example totally defeats all of your "security checks". And it is in the wild. You will of course claim that this particular attack was made possible by two factors: A XSS vuln at the banks website and users clicking on a link in an email sent to them. But the domain of that link was the banks domain. The XSS script was obfuscated. Once you arrived at the page everything seemed OK: There's a https:/// at the front of the url, and the domain name is in fact the banks own domain name. Is the bank to blame? yes! Should anyone follow a link sent to them in an email? no! Did it succeed in having users giving up their details? you bet!

Incidently you don't "throw up a deceptive IFRAME". Iframes are embedded into the actual html. You can't tell it is there. Your address bar only tells you about the "parent" page. If the actual form lives inside an iframe - possibly generated by a XSS vulnerability like in this example, validating the URI means s***.

I really don't know which articles you've read on CardSpace. Do you only read the headlines and when CardSpace and Passport are mentioned together you assume that they are one and the same or that they are intrinsically linked?

Instead of FUDing (referring to "articles" without any concrete references) maybe you would like to point out what the problem with CardSpace is? I mean, apart from the fact that it originated from Microsoft which obviously is very disturbing to you.

Let me summarize CardSpace for you:

1. CardSpace is a de-centralized, open protocol based on XML. This is totally opposite Passport (although some Passport driven sites now allow you to use CardSpace as well).
2. CardSpace does not mandate any specific credential store. Not AD, not LDAP or anything. It is a procotol. If you have evidence to the contrary, please share it.
3. The client need not use AD or Windows or any other MS technology. IE on XP with .NET Framework 3.0 and on Vista already sports an AD free CardSpace card store.
4. The server/site (relying party) need not use AD or Windows or any other MS technology. There is even a proprosal for inclusion of CardSpace support into Zend Framework for PHP: http://framework.zend.com/wiki/display/ZFPROP/Zend_CardSpace. Google for more projects.
5. The (if one is used) issuing party need not use AD or Windows or any other MS technology.
6. Microsoft does not have a central authority. Microsoft is never in on the authentication (unless you authorize at a Microsoft site, of course).
7. I can make any number of "self-issued" cards, in which case there will be only two parties involved in the authentication; unlike OpenID id I may add.
8. Even if I use the same card against multiple sites, they don't get an identifier with which to compare my behavior across the sites. Unless of course my card includes something personally identifiable such as a unique email addy. But they don't need my email and I may question the site why the assert that claim.
9. CardSpace cards contain "claims", such as email adresses, names, etc. Some card you can issue yourself. But the relying party can demand that some cards are signed by a mutually trusted authority, like a bank or creditcard company. This could potentially spell the end (good thing) of handing out CC numbers on the 'net. The relying party can assert a (signed) claim that the bank accepts a withdrawal of a certain amount of $$ for a transaction. The shop never "sees" the CC#, merely a "signed"

Re:That makes THREE accounts, no? Not one.

[MatB]

When I comment here, I comment with my Slashdot username, and if I switch PCs I have to reset the password (again) as I always do forget my password here. When I comment on a Typepad blog, I used to have to use my Typekey. On Blogger, my Blogger username. Now I can use my OpenID for everything except here, and you can comment on my Livejournal (if you wanted) using one of your OpenIDs. I have several different IDs, some are embedded into the headers of my sites so I can use my sites rather than my LJ if I want to, depending on context.

Biggest advantage for blogging (which is what initially inspired Brad) is that when I comment with my OpenID, the people reading it, including the blogger, know it's me, not someone pretending to be me by putting my details into the name/email/site address fields that a lot of blogs allow. Not an issue for many, but I've seen dodgy sock puppeting, I've even seen a British MP try to pretend to be someone else and forget to switch logins (that was a fun one).

In fields of online commenting where who you're talking to actually matters, OpenID is a way of me proving I am me, the owner of domain X, and not just some random claiming to be me.

In terms of developers, creating your own authenticationmethod is useful. I don't develope, I install, manage and use, for me, it's irrelevent, but it means I've got choices of implementation depending on what I or a client needs.

In terms of an end user, the client side login is currently not as available--LJ allows it, it can be used with some MEdiaWiki powered sites, Wordpress and Movable Type can allow it (when I recode some of my sites then you'll need to login with either an OpenID or a site registration), and some services, such as Technorati and LoudTwitter make good use of it already. But LJ has the best implementation, and that's barely finished.

Currently, it's not quite ready yet for mass consumer use, but with this, it means it will be. And then you'll be able to comment on a huge number of sites using just one identity. And Taco will be able to comment in places using his /. profile address, and if he comments on my site, I'll know it's him, not someone pretending (unless his account gets hacked that is).
===
Consumer use. When I comment on a site that allows me to use OpenID, I type my ID into the field. My browser now takes me to my ID site, which asks me to confirm that I want to give the info being asked for. I click yes, it takes me back to the initial site and I'm logged in. There will be support for it embedded within Fx and IE soon (I'm told), and you can choose to allow or disallow any sites you wish.

You want one account? That should be an option, but it'll depend on the sites you want to log into seeing it as a benefit and allowing it. I push for it, and others that like it do, and some sites find it useful. Whether it'll take off for the consumer end? We'll see, but the prognosis is good.

Netcraft confirms it

[Burz]

Incidently you don't "throw up a deceptive IFRAME". Iframes are embedded into the actual html. You can't tell it is there. Your address bar only tells you about the "parent" page. No dice:

The browser invariably knows when a portion of the page has been fetched from a third party. The lock is crossed-out, and that would have also come with a warning dialog (which I have personally experienced on several occasions).

The Netcraft article is sloppy reporting, as it omits mention of any warning dialogs. The author makes a common assumption that the user will actively continue with a compromised connection instead of canceling it... using that assumption, Cardspace can do no better unless it refuses to connect unconditionally (which is no more than a matter of default browser policy anyway, and not an inherent flaw of authenticating in-browser).

As I said in the BB comments, the user has to check for A) presence of lock, B) correct domain spelling, C) absence of cert warnings. All three. XSS attacks fail two of those and only an elitist would assume that people can't learn to complete that simple ritual... what a shame virtually no one in IT makes any effort to explain it. But then there is copious proof that IT is currently dominated by combination of ineptitude and short-sighted greed that's resulted in so much of our sensitive details being spilled across the net (and they want to build us a new bridge).

It is possible that Cameron didn't provide such XSS examples because he knew they didn't really apply, especially after I'd already stated the proper steps for the browser authentication ritual. I also stated that implementation flaws were no justification either, which I'm sure he also accepted unless he believes that OpenID-related tools are a new breed of software without coding errors.

Here is another Cameron quote:

Burz, the lock symbol can be painted on your screen by a sufficiently cogent attacker. The certificate dialog can be faked - how would you know the difference? "Sufficiently cogent" how? Enough to run his code natively on my system, interfering with the browser's internals? Oh but surely the Cardspace code would be immune... LOL

Slashdot support?

[Eravnrekaree]

Why doesnt slashdot support this already? I like the idea of having one login, It is really getting insane trying to keep track of a gazillion logins for all these different services. OpenID would be a lot safer as well than giving each service the same password.

OpenID != Single Point Of Failure

[radimvice]

OK, far too many comments have made criticisms of OpenID claiming that since it gives you the ability to have a single sign-on it is a bad idea because it gives your identity a single point of failure. This is a blatantly false argument.

OpenID != single point of failure. You can easily go right ahead and use multiple OpenID authentication identities, multiple OpenID providers even, to manage your multiple accounts. You can manage a separate identity for each individual site just as easily as you currently manage a different username and password for each individual site. Except the thing is, nobody will want to bother to micromanage their authentication for every single service anymore, when it's simply not necessary.

Server-side account logins REQUIRE you to place blind trust in the security of their system. This means that if their server gets hacked, any data you shared with them is up for grabs, and there's nothing you can do about it but complain.

You're placing trust not only in the security of that one authenticated identity, but also in the security of any other identities that might be even remotely associated with it - including other sites you might have used the same login/password for, your e-mail address (if a password reminder/reset function is provided), your browser (stored passwords), or even your own birthdate/social security/mother's maiden name (for sites that let you re-authenticate through 'private' questions).

OpenID is inherently more secure because it lets YOU control the method of every single authentication, whether you choose to control just one ID or manage many, and manage your own network of security without being forced to introduce a new possibly weak link (or the inconvenience of yet another password to keep track of) into your system every time you want to authenticate with someone different.

I really hope that the OpenID crew works harder on clearing up this confusion, since if the Slashdot consensus can't even get it right, I really can't imagine that all of the other AOL/Google/Yahoo/etc users will ever even come close.

Anonymity is a great new feature.

[emj]

[You authenicate with] https://me.yahoo.com/text-of-your-choosing. There's even a new feature in OpenID 2.0 that lets you just pick "Yahoo.com" so you don't have to enter anything at all relating to you on the other site.

Yeah that's good, I didn't like that sites used my URL as a nick name for me when I logged with OpenID sometime ago. But it was really easy to set up and use, I mean just being able to log in with a small URL is a great thing.