Slashdot Mirror
MySpace Joins OpenID Coalition
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
The openid protocol allows you to limit the information given to the system you're logging into to a minimum of "authenticated" - that is, no additional; information such as a (verified) email address is passed, though one is still required for an openid account establishment. It's up to the requesting system whether that minimal information is sufficient. Of course, your IP address can still be captured unless you use an anonymizing proxy.
So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.
You completely misunderstood the article and the concept of OpenID.
The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.
OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication for (e.g., MySpace) allows you to login to other sites which support OpenID as a method of authentication. So if I had a user account on MySpace named ohtani, I would login to another site as www.myspace.com/ohtani. I am then redirected to the MySpace website to login if I am not already logged in, and asked to accept that MySpace can pass on the credentials to the site I'm logging in to. That link is then established and the OpenID supporting site marks me as authenticated as the MySpace user.
This is where it gets tricky for places like MySpace: Say I used Yahoo! as an OpenID provider. Or even my own website (which currently does indeed allow me to login with OpenID elsewhere). MySpace can't exactly have a user like me login to their service as my website and edit my profile. They have to have some form of a mechanism of creating the user at that point if that OpenID name has never been seen. But the user name used (the OpenID URI) is, well, odd for MySpace. So they'd probably ask one to choose a MySpace user name that would map to it. From there, MySpace would allow one to login to that account any time that OpenID is used for authentication. At least that's PROBABLY what will happen. Not all sites work like this. For example, LiveJournal (created by the very people who helped make OpenID) lets one login with an OpenID, but an account with that OpenID is then created with limited functionality. Friends and comments are allowed, but no posting to your own journal.
OpenID support doesn't require you to "create" an OpenID to use it. Your existing user ID on an OpenID provider IS your OpenID. Any site that becomes an OpenID provider is simply allowing you to use an OpenID name they specify to you (often in the form of username.domain.tld or domain.tld/username) to log in elsewhere. You do nothing but just use it elsewhere. There are popular sites supporting OpenID. There's also plug-ins for blogging software to support being an OpenID provider or consumer.
On a different note, with OpenID becoming more and more popular, this will mean that we DO have to be careful and come up with a mechanism for anti-spam via OpenID, especially in cases where the system is more automated like LiveJournal's. Or else a spammer could simply have one domain and with that domain an infinite number of users able to login by simply changing the OpenID slightly (e.g.: a.example.com, b.example.com, c.example.com, aa.example.com, etc)
Pancakes. Oh I blew it.
At least you can use OpenID to comment a blog on Blogger.
Setting up a WordPress with OpenID enabled is also very easy, by installing a plugin.
It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.
I don't think you understand how openid works. The only way to compromise all sites is for your openid provider to be compromised. You only provide 3rd party sites with a URL which points to your openid provider. You are forwarded to your openid provider (SSL cert verifies to you that the provider is legit.) You enter your credentials to the openid provider who then sends over a back channel that you are verified back to the 3rd party site. At no time does the 3rd party site have any of your authentication credentials and therefore can not access anything on other sites which you use that openid account for.
Maybe you should try reading the spec then, since that's exactly what it's designed to do.
The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:
1) If you don't already have a session open, you login, and then go to 2.
2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).
This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.
If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.
So don't. Part of OpenID is that you can see exactly what information the relying site wants, and decide whether or not to give it to the site. Some providers also let you create and use multiple profiles to choose from too, so you can choose exactly what address or whatever they see (if any). There's no loss of control for the user here.
No, that's not how it works. The sites you log into aren't involved with your authentication process, so they can't give up your credentials no matter how badly they get owned. They could give up whatever personal information you chose to let your provider give them, but that's no different than the way it is now.
Wrong. You tell a site "I am in control of random URL". That's it. That's all. OpenID only does authentication, not identification, and its authentication is based solely on control over a particular URL.
Actually no.
You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com
You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.
I suggest glancing over the specs for authentication:Version 2 or Version 1 for clarity.
For anyone who's actually SEEN stallman, this is the funniest quote ever. For those who haven't, here
An old-timer with old-timey ideas.
Nothing about the OpenID spec requires an e-mail address, or even a password: http://www.jkg.in/openid/
~ Aero