Microsoft Joins the OpenID Foundation

wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)

Color Me Confused

[eldavojohn]

Microsoft Joins the OpenID Foundation

What a joke.

Windows Live ID just became yet another OpenID-provider.

True.

they have undoubtedly put even more weight behind the OpenID initiative.

False.

So, how long before I can use my OpenID to post on Slashdot?

Oh poor poor wertigon. You won't even be able to log into MS Live with it. I can go to wordpress, verisign, aol and all that jazz and login with my OpenID. I can go to sites listed as OpenID and login when I've never even been there before. Yet, when I go to the page that Microsoft lists for Live, I can't. Why is this? Because they're only providing IDs, not accepting other OpenIDs.

You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!

That's it. That's all you get. No future plans are listed to accept OpenID accounts either.

OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

When Microsoft fully supports it--when they both accept and provide IDs--that's when I'll agree with this headline. Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

Re:Color Me Confused

[Leynos]

This is still a useful development. I can now allow MSN Messenger using friends to read my friends-only livejournal posts without having to ask them to sign up for LiveJournal or OpenID (which most people outside of geekdom will not have heard of)

Re:Color Me Confused

A lot of OpenID participants are provider only. Microsoft isn't helping the problem, but they aren't worse than a lot of other companies in this regard.

Re:Color Me Confused

[Zebedeu]

Exactly, and this half-functionality is why this move undermines OpenID and what it stands for.

You see, OpenID still works, but it works *better* if you use Microsoft's version. Soon enough you'll find that everyone's reaching for those MS ids just to remain compatible, and MS will get what they couldn't with their Passport scheme, or LiveId or however it's called these days.

It's the same embrace, extend, extinguish bullshit again, and in my opinion, the community should just reject these MS-provided ids until they learn to play ball.

Re:Color Me Confused

[digitalunity]

You put all the informative and insightful comments possible into one post you insensitive clod.

Re:Color Me Confused

[HungryHobo]

I just don't get the point of this. I go to a website and there's a little note *You can use your openid here!* and I sign in with it. but wait! it was a trick, they grabbed my username and password, now they have my openid login.

Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

Re:Color Me Confused

[Smelly+Jeffrey]

Mod parent up!

This question is one that appears to not yet have been raised in the OpenID security discussion. In these times of phishing attacks on OpenID this should bear heavy on the mind.

For more information, this article is a good jumping off point.

Re:Color Me Confused

There's no accredation. Login occurs by redirecting you back to your provider. You log in, or the provider establishes you're already logged in by means of cookies. Then your provider redirects you back, saying "yep, he's the holder of that openID".

At no point does the accepting site get your user name and password. You can verify this by looking at your address bar. If you're still at the accepting site and they ask you for your user name and password, they're either doing it wrong or you're being phished.

Re:Color Me Confused

[Bizzeh]

the vast majority of the planet do have a live id, as they use hotmail as their email service, or they use messenger, or some other microsoft service such as xbox live. microsoft HAVE provided a considerable weight to the openid movement in that, the single account the vast majority now have, can be used to log into anything accepting open id (of which, there are only a few i can think of, and the only two large places i can remember accepting it are sourceforge and yahoo)

Re:Color Me Confused

[petermgreen]

The site is supposed to redirect your browser to your provider for you to perform the actual login.

Of course you do have to pay attention to what site you are giving your password to......................

Re:Color Me Confused

[Stewie241]

How did they grab your password? If openid is done right, they don't need it.

Re:Color Me Confused

[larry+bagina]

"This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer. (Or in slashdot terms, everyone wants to top, no one wants to bottom).

.There have been a spate of announcements recently with a number of companies both large and small announcing that their products will .support. OpenID. [.] All these OpenID support announcements and I am not getting anywhere with my OpenID. [..] it seems that while we have plenty of companies wanting to step up us providers (easy) and have their users use their OpenID.s with other applications, we don.t have enough companies stepping up as consumers of OpenID. [.] it seems that OpenID is flavor of the month and everybody is jumping on for the ride (I could post .Burger King Supports OpenID. and it would make the frontpage of digg). [.] It seems that most of the justification for the big companies and other apps not wanting to be providers is so that they can protect their customer base and maintain a hold..

Re:Color Me Confused

[HungryHobo]

So how does it tell the site that you're you? cookies can't be seen between sites can they, IP address wouldn't be reliable. Is it just a case of sending you back with a code in your get/post request?

Re:Color Me Confused

[Arthur+B.]

Answering your own question :)

Re:Color Me Confused

[Arancaytar]

Um, duh - the way to know if you're being phished is checking the URL and the site you're on.

With OpenID, you will never have to enter your password on any site but that of the OpenID provider. If the site you want to access asks you for your OpenID password, you're being scammed.

Re:Color Me Confused

Which planet are you talking about? And does it have any relevance to Earth?

Re:Color Me Confused

Maybe you need to use Microsoft Passport.

Re:Color Me Confused

[cparker15]

"This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer.

Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

Re:Color Me Confused

[Blakey+Rat]

OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

The idea is bad in the first place. The fact that numerous large .coms are OpenID *providers* but don't accept OpenIDs from other providers is only a symptom of the problem. I started thinking about this when reading suggestions for the new StackOverflow.com programming site.

The problem is that when you use OpenID to log in to a website, you now rely on two sites to be up and running: the OpenID provider, and the site you're logging on to. If your OpenID provider decides OpenID isn't worth their time and cancels the service, you're SOL-- there's no way to log on to the site, and any data you've put on that site is lost forever.

There's no way to "transfer" an OpenID between different providers, nor is there any way to "combine" multiple OpenIDs into a single OpenID (for example, combining LiveJournal's and Yahoo's so you can log on to the site with either.) Without that functionality, my data is being held BOTH by the site I'm entering it into AND by Yahoo/LiveJournal/whatever.

The top suggestion for StackOverflow.com is to allow people to entire multiple OpenIDs for a single account, in case one of their OpenID providers goes down. I pointed out that this is a terrible idea, because knowing human nature, nobody will bother to enter a second OpenID until the first fails, and once the first fails they can't authenticate to enter the second anyway. If StackOverflow.com just had its own login system, it would avoid all these OpenID-related issues.

Don't get me wrong, OpenID is great for sites where you want to authenticate, but you won't be storing any data on the site. For example, reading an article at the New York Times. But for any application where you're storing data, tying it to OpenID is a huge mistake.

Anyway, the saddest thing is that Microsoft's Passport lets you merge IDs, so it's actually better-implemented than OpenID.

(P.S. I know you can buy a Dreamhost account and a domain name and become your own OpenID provider which resolves all these issues. But if you want people to use the system, you need to make it usable by normal, average human beings. OpenID isn't.)

Re:Color Me Confused

[Dolda2000]

Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

You have indeed missed the point, and even more than you think. You don't enter your OpenID password on the site you're authenticating to, at all. Ever. You just enter your OpenID username, and it redirects you to your actual OpenID provider, and there you enter your password (or, even better, use the SSL certificate installed in your browser, or your Kerberos credentials, or similar) to authenticate to it. It then redirects you back to the actual site with a cryptographic cookie that verifies your identity.

If you're worried about phishing, that's a very different issue. Certainly a real one, though, but not anything you wouldn't be subjected to anyway. And, if you authenticate with something like an SSL certificate, it won't be a problem anyway.

Re:Color Me Confused

Too bad nobody uses wordpress

Re:Color Me Confused

[GiovanniZero]

Thats not how openID works. When you goto login using your openID you just putin your ID and then it redirects you to your openID provider to have you login/provide authorization etc.

Re:Color Me Confused

[MindKata]

OpenID also allows more easily data mining what someone says and does on different web sites, which is a dream come true, for all data miners.

So once most people start to use OpenID, then all governments have to do, is pass a law, to either requiring them to know your OpenID, or for them get your OpenID by any other means, and then that's all they need, to workout everything you have ever said online. OpenID is one step away from removing most anonymity on the Internet. This news fits in with the other Slashdot news today, about the Internet Human Rights PR smoke screen...
http://it.slashdot.org/comments.pl?sid=1011555&cid=25554573

Plus as people in power always seek power, then what they fear most, is the loss of power. So to them, finding out what people are saying is very important. (I.e. Knowledge is power). So one of the first things the some of the ones in power will do, is use widespead usage of OpenID to allow them to finding out every political view people post about them online.

To big businesses and governments, OpenID isn't about convience of easy logins. OpenID to them, is about data mining and so it makes sense Microsoft would want to play along with that goal.

Re:Color Me Confused

[Directrix1]

Its a LiveJournal service that he wants to let his MSN using friends (the ones with the shiny new OpenIDs) use. I believe it will work, unless you are saying LiveJournal has this half-functionality also.

Re:Color Me Confused

[ChrisA90278]

"At no point does the accepting site get your user name and password. You can verify this by looking at your address bar."

I bet I could get thousands of user name/password combos be putting up a web page that simply asked users to enter their user name and password. They call this "phishing". It would work.

Using any kind of login that is shared over multiple places is always not-secure. Best practice is to compartmentalize potential damage. So that if some one figures out my password for (say) this website they can't then get into my bacnk account and email. If common logins do become popular then "phishing" will become very popular.

Re:Color Me Confused

Can we get +1 and -1 Paranoid mods?

Re:Color Me Confused

You're right.

And I'm not ditching my postit with 20 passwords yet.

Re:Color Me Confused

[Rene+S.+Hollan]

Depends on what you use the logins for. I use common logins, or at least passwords, across several sites, particularly ones I don't care too much about, and different ones for sensitive sites like banks, etc.

So, yes, the number of logins you have should be more than one, but does not have to be as large as the number of sites you visit.

But, to explain how OpenID, LiveID, and all such systems work without the site requesting the authentication requiring the authenticating credentials, it's like this:

1) You authenticate with the authentication site. You get back a magic number, or some similar credential.

2) You present this credential to the site that requests your authentication.

3) It contacts the authentcation site with it, (perhaps authenticating itself too using means like a client cert), provides the credentials you supplied, and gets back all sorts of nifty metadata about you.

Your credentials expire after some amount of time.

LiveID works like this for all Microsoft and Microsoft-partnered sites. And the same for OpenID.

The issue with having Microsoft accepting OpenIDs (besides the obvious econo-political one) is likely the nature of the metadata being different between what OpenID provides and what LiveID provides (unless OpenID supports the notion of arbitrary metadata per site requesting authentication, and so could support the LiveID metadata format).

Re:Color Me Confused

[holt]

My understanding is that one should set up OpenID delegation, which allows you to have a static OpenID but still use third-party providers for the authentication portion. Anyone with a web presence can do this, and it's actually preferred to hosting your own OpenID server since it shows that someone else also vouches that you are who you say you are. Here is some further reading.

Re:Color Me Confused

[corsendonk]

And if/when some sinister DNS poisoning shows up to the party, it's gonna be big trouble. Or heck, someone simply gets hold of your master password. Oops someone just got full access to ALL your favorite websites... isn't this a major single point of failure issue or have I missed something?

Re:Color Me Confused

[Just+Some+Guy]

Or heck, someone simply gets hold of your master password.

How would they do that since you never give it out to anyone?

isn't this a major single point of failure issue or have I missed something?

Possibly, until you change your master password (or SSL cert or Kerberos key or whatever) and every website you use is instantaneously updated.

Re:Color Me Confused

[Blakey+Rat]

That's getting to a solution, but it's still far too difficult for the average person to do. And, if I'm understanding correctly, it actually makes your data held by THREE servers now:

1) The server you're trying to log into
2) The server hosting your "delegation" page
3) The server providing the OpenID

Someone correct me if I'm understanding this wrong.

Re:Color Me Confused

[corsendonk]

Well you know, when this reaches the masses out there it's only a matter of time before clueless people start writing down their OpenID master password on yellow post-it notes next to their workstation or whatever. Like the place I worked at where people would gladly hand over their password to me when something needed fixing. Not to mention clueless Joe Sixpacks keylogger & trojan infested computer... these noob user related problems ain't exactly unheard of today so it's hard to believe that OpenID would solve these things in a whim.

Re:Color Me Confused

[Just+Some+Guy]

OK, so OpenID doesn't solve that particular problem, but it helps the common case where users have the same password for every site. That's still a net gain.

Re:Color Me Confused

It will work.

http://www.livejournal.com/support/faqbrowse.bml?faqid=232&q=OpenID

Re:Color Me Confused

[MindKata]

"Can we get +1 and -1 Paranoid mods"

Its clear from your comment, you have no real knowledge of power seeking. So while your getting your +1 & -1 mod points, you should also ask for a +1 & -1 Boiled Frog mod. Because some people can see how power games are played, and some like you, have not been burned enough yet, so fail to see how the power games are played. Try reading some history, then you will see how throughout history, knowledge is used to gain and maintain power. While your at it, you should also try read up on the connections between PR and how big business and governments have used that to great effect, over the past nearly a century. Here's a clue, the origional name for PR was Propaganda, but Public Relations sounds so much more friendly than Propaganda, so they call it PR, but it has the same goal, as its the same thing, just with a different name.

Many of the people who seek power are relentless power seekers. They are as obsessive about the need to gain power, as many programmers are obsessive about learning some new aspect of programming. While you may not know about the obsession for power, I would hope you can however relate to the intensity of obsession, to seek something they want.

Re:Color Me Confused

[Dolda2000]

And if/when some sinister DNS poisoning shows up to the party, it's gonna be big trouble.

Not with SSL client certificate authentication, it won't.

Or heck, someone simply gets hold of your master password. Oops someone just got full access to ALL your favorite websites...

Seeing how most people use the same stock password for most sites anyway, it seems the same problem exists anyway. If you're actually one of the few (like me, though ;) who actually use different passwords, then the smart thing to do would obviously be to have different OpenID accounts corresponding to those different passwords and trust levels. Or, again, just use SSL authentication.

isn't this a major single point of failure issue or have I missed something?

Well, to begin with, you'll have to realize that OpenID is mostly intended to facilitate such simple things as posting comments to on-line forums like Slashdot, various blog engines or phpBB-like bulletin boards. If you just find a blog and wish to comment, it's very tedious to have to register an account just for that. OpenID fixes that problem. You are not meant to be logging into your bank account with OpenID.

Re:Color Me Confused

[hairyfeet]

I know the is why I have been avoiding it like the clap. I have yet to see any explanation of what kind of security OpenID uses,what kind of security they require of affiliates,etc. There are simply too many bad guys on the net today to take such things on faith. Maybe someone from OpenID could post a slashdot article with a list of their security practices?

Re:Color Me Confused

[MatB]

Livejournal was, IIRC, the first site to allow client side logging in using OpenID.

Created by the same person (now working for Google), specifically because he hated the idea of non-authenticated blog comments but also hated logging in all over the place.

A guy witha lot of great ideas. Shame he can't market a product for shit.

Re:Color Me Confused

[FooBarWidget]

I don't care about all that. All that I care about is that the tons and tons of MSN users are now able to login to my site without having to register an account at my site first. I don't care whether people can use OpenID to login to Windows Live.

Microsoft supporting OpenID like this is a good thing.

Re:Color Me Confused

[marcosdumay]

Everybody that has a business plan other than showing you ads while you log on want to be a consumer.

When OpenID was a new and untested thing, nobody working on unrelated projects had heard about it, so consumers didn't start using it. At the same time, people working with OpenID knew it existed, so providers started appearing. That is normal. Now that it is a little more known, there isn't a lack of consumers anymore.

Re:Color Me Confused

[jellomizer]

General Slashdot
Let X represent some technology
X = Cool
X + Microsoft Support = Bad
X - RMS Support = Bad
X - Microsoft Support = High Quality
X + RMS Support = Morally Correct

I like to judge X on X

Re:Color Me Confused

[aztracker1]

I have a simple solution for you... banking sites aren't likely to *ever* accept openid as a login method. However, for entering comments on a blog you've never been to before, and may never see again, or various other sites, it's a godsend. Not having to create a login, wait for an email, so you can validate your address, then go into the site again, just to put a comment of "thanks" on a blog entry that helped you to do something you were looking for is a nice thing.

OpenID imho isn't an end-all be-all solution for anything that needs to be super-secure, or imho anything dealing with money. It is a great idea for sites you haven't been to, may not return to, and don't really care about, when you need short-term access.

Re:Color Me Confused

[Raenex]

You can have more than one OpenID. Sites can still allow anonymous posting.

Besides that, there's an even bigger id that most people are tied to and don't even think about -- their IP address. How much data flows through your ISP? Talk about single points of failure. People also tend to have one email address and don't use encryption.

If you are concerned about government-thwarting privacy then you have to take active measures to gain it. OpenID is no more of a problem than any of the other things I have mentioned. On the other hand, if you don't care about people tracking your blog postings -- or maybe you want an identity -- OpenID is great.

Re:Color Me Confused

Haha, you always post the same rant about power-seeking.

Re:Color Me Confused

[richlv]

actually, you can choose not to send any metadata for openid logins - just your id. so any differences in metadata can't be a reason for not accepting openid logins.

Re:Color Me Confused

[zuperduperman]

> I can go to wordpress, verisign, aol and all that jazz and login with my OpenID.

You are being very disingenuous. There are nearly no big companies that are willing to behave as OpenID relying parties. The ones you mention are probably about it. This is the big problem with OpenID, and it's not the slightest bit unique to Microsoft (although I'll heartily agree that they are yet another addition to the problem).

What I think: OpenID foundation needs to trademark a new logo that can only be used for providers that act as both a provider and a relying party. Then they need to make two tiers of membership: first tier and second tier. You can't join the top tier without supporting a relying party service yourself. Top tier members get double the votes (or some similar measure) in any decisions on the protocol.

Re:Color Me Confused

"you always post the same rant about power-seeking."

Its interesting you troll, to ignorantly put someone down, when there are people in the world, who do seek power over others. There is nothing wrong in speaking the truth, especially when it fits the facts. So I can only conclude, you are threatened by the idea, people want to talk about such behaviour. Which points to you have psychological behaviour problems, which explains why you go to the trouble, of attempting to put people down.

Re:Color Me Confused

[jroysdon]

Hmm, I don't think you get how OpenID works. I'm not an expert, but I've played with it a bit.

You enter your OpenID URL ("login"), and you are redirected to your OpenID provider to auth (or if you already authenticated earlier in your browser session, then you're all set), and your OpenID provider says, "Yup, this is "X"" (and supply whatever info you tell it to supply).

You never give your openid username/password to the website you're giving your openid URL to (although, usually the openid url is in some way your openid username, but there is nothing forcing it to be).

But the best thing is that your OpenID URL can point to your own domain, so you always control and own your OpenID. Then you just put a bit of html on your domain's webserver redirecting your OpenID to another place where you have another OpenID. Sounds complicated (it is a bit), but at any time I can switch where I redirect my OpenID on my domain to, so I can change from Verisign to anyone else I want (or even run my own OpenID server), but to all of the sites I use my OpenID URL at, I'm the same person.

What I like about Verisign's OpenID provider service is that they have one of those little keyfobs that verify you are you and have your keyfob. But the best thing is that you can get one for like $5 (?) from Paypal and it'll work on the Verisign site too (vs. $15 (?) for the Verisign fob that won't work at Paypal/eBay).

Now, all of the sudden I can login with my OpenID at a public terminal, type in my keyfob, and even if someone grabs all of that (key logger) it is only good for 30 seconds. After 30 seconds, my keyfob changes and you're can't auth to my OpenID provider again.

I understand there are other attack vectors, but overall, for non-financial uses (blogs, forum sites, etc.) it's just fine.

Re:Color Me Confused

[wertigon]

I thought about this when I first heard about OpenID. Ultimately, it's not true, because;

1. You can have multiple OpenIDs.
2. There's nothing preventing the site in question to ask you to provide a different username and display that. So john.smith@aol.com could be "StJohn" on one site and "Tom Bombadil" on another. How are you supposed to datamine something you don't have access to? (In fact, this should be reccommended practice among RPs)

Therefore, I feel quite safe with OpenID.

Re:Color Me Confused

[Rene+S.+Hollan]

Except Microsoft services REQUIRE the appropriate metadata.

Re:Color Me Confused

[darkpixel2k]

Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

Anything the slashdot crowd might be familiar with, or are you talking about your personal website?

I consume OpenIDs in webapps, but they aren't public, so me stating that I use it in all my webapps doesn't f*cking matter.

Re:Color Me Confused

[richlv]

well, i guess that's up to the to change this requirement then ;)
or one could set up a fake persona in openid provider and feed some crap data in the ms system...

Re:Color Me Confused

[holt]

I believe you're right, that all three pieces need to up and running at the time of the login. However, while technically all three do store some data about you, the service to which you're trying to log in doesn't know anything other than the public OpenID portion (i.e., your password or cert is still secret), and the authenticator service (to whom you've delegated) only knows that you've logged into a particular URL. The authenticator doesn't need to know anything more than that.

I was addressing your concerns about the OpenID provider closing shop. If that happens and you've set up delegation, you simply delegate to a different provider, and you're back in business. No need to worry about being locked out of your account, because you have control.

Re:Color Me Confused

[Rene+S.+Hollan]

Well, M$ uses their single authentication point to also store metadata that is likely to be needed by many of their apps that look to that authentication point. OpenID would not have that metadata. (Though M$ could detect this, and create an OpenID->LiveID mapping and required the user to enter it the first time. Of course, it is in M$'s interest for the mappings to go the other way.)

The kind of metadata has to do with stuff like age, location, etc.

The thing is, not only can one single point authentication useful for a number of services, one can also envision shared metadata following some schemas useful for a (likely smaller) number of services. A central mapping of Id to location, and another one to age, and another one to medical information (horrors!), that can be used by any service that needs some or all of these: when you register with a particular service, you provide your single-point ID, and the service asks you where the metadata for all the types it needs is stored, it it isn't already associated with the ID. If you never provided it, it is obtained, stored somewhere, given a tag of it's own, and bound to your single-point ID (and vice versa), and both databases updated.

So, if some site needs, say, a Resume, for which an XML Schema is defined, it can ask you, "Your ID does not map to an XMLResume, would you like to provide the mapping or create one?", then redirect you to a resume provider, which creates a ResumeID, binds it with your single-point authentication ID, and lets you include that binding with the single point authenticator for "next time".

Of course, just who can access what data should remain under your control, but I can envision a permission system based on PKI.

Re:Color Me Confused

[Blakey+Rat]

I believe you're right, that all three pieces need to up and running at the time of the login. However, while technically all three do store some data about you, the service to which you're trying to log in doesn't know anything other than the public OpenID portion

No, the site I'm trying to log in to knows a crapload about me: all the data I've provided it, and data that I still want access to even if my OpenID provider has issues. I'd rather just log in directly so I don't have to rely on OpenID to get to my data, which is why I refuse to use sites which don't provide that option. (Like StackOverflow, for example.)

I was addressing your concerns about the OpenID provider closing shop. If that happens and you've set up delegation, you simply delegate to a different provider, and you're back in business. No need to worry about being locked out of your account, because you have control. ... Unless it's your "delegate" server who's out of commission, then you're in the same boat as if you didn't have one in the first place.

But my by far overwhelming concern for this whole concept is that it's FAR too difficult for a normal, regular, non-geek to use. Ignoring all the technical flaws, Passport is each and OpenID is hard.

Re:Color Me Confused

[holt]

Of course they know about the data you've provided to them directly. That's the whole point of logging in; I didn't think I needed to spell that out. Let me revise my earlier statement: "While technically all three do store some login-related data about you, the service to which you're trying to log in doesn't know anything related to your login other than the public OpenID portion"

While I agree that OpenID probably isn't easy enough for non-geeks, at least not without hand-holding, I certainly wouldn't recommend a service like Passport, considering that by using that all your concerns about the ID provider deciding to simply shut down come back into the picture.

Re:Color Me Confused

[Blakey+Rat]

Of course they know about the data you've provided to them directly. That's the whole point of logging in; I didn't think I needed to spell that out. Let me revise my earlier statement: "While technically all three do store some login-related data about you, the service to which you're trying to log in doesn't know anything related to your login other than the public OpenID portion"

What bothers me the most is that my data could be lost through no fault of my own, and no fault of the site storing the data. If Yahoo decides to stop being an OpenID provider, poof, suddenly that data's gone; it's not my fault, and it's not siteiloginto.com's fault, but it's still gone. I'd much, much prefer to just log on normally.

While I agree that OpenID probably isn't easy enough for non-geeks, at least not without hand-holding, I certainly wouldn't recommend a service like Passport, considering that by using that all your concerns about the ID provider deciding to simply shut down come back into the picture.

Well, you're right. But OpenID hasn't improved on Passport, and it's much harder to use, so there's really no point to it until it fixes at least one of those.

I'd also prefer to log in normally than to use Passport, but if there was a choice between the two then Passport is the obvious pick.

yeah

Ok that's cool, but it doesn't change the fact that OpenID is a colossal waste of time, and almost entirely pointless outside the navel-gazers of the blogging community.

hey

[Corpuscavernosa]

Microsoft doesn't host any of my porn sites and I don't use hotmail. I'm just saying. Now if by entering the game they somehow prevent me from using openID at any of these sites... we'll have a problem.

Tinfoil Hat

[krgallagher]

"So, how long before I can use my OpenID to post on Slashdot?"

So how long before governments require OpenID to eliminate internet anonymity?

Re:Tinfoil Hat

[dnwq]

Note to the oblivious: OpenID doesn't eliminate anonymity. Far from it.

Wikipedia:

Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.

Re:Tinfoil Hat

[I+cant+believe+its+n]

Note to the oblivious: OpenID doesn't eliminate anonymity. Far from it.

Being of a oblivious nature, I have a question for you:
In what ways does the OpenID system promote user anonymity?

Re:Tinfoil Hat

[DragonWriter]

In what ways does the OpenID system promote user anonymity?

It promotes anonymity by allowing services to operate that require associating the initiator of one action with the initiator of a prior action, without requiring the "meatspace" identity of either. That is, it provides a reasonable means for a subscription-based service to verify "the person accessing this resource is the one that established this account" without ever identifying who the person is that established the account.

Since many services rely on providing that kind of relation between the person establishing an account a person requesting a resource, it promotes anonymity to provide a means that allows those services to fill that need while users remain anonymous.

Re:Tinfoil Hat

Note to the tin-foil less: Who do you think wrote the Wikipedia article? Answer: The zombie corpse of a one J. Edgar Hoover.

Re:Tinfoil Hat

Wizard?!?

It's a trick. Get an axe

[TheRealMindChild]

Patches are always welcome wertigon ;)

Yeah. You are welcome to write a patch. That doesn't mean Taco will even use it. Don't let his comment mislead you.

Re:It's a trick. Get an axe

Of course he won't use it. Hence the winking smiley.

Re:It's a trick. Get an axe

[gbjbaanb]

yeah, but as implementing an OpenID consumer is such a doddle, I'm sure CmdrTaco could read the example perl docs and slap it into the authentication system on /. in 5 minutes.

The tricky bit is tying your existing user to your openid login.. maybe it'd take him 10 minutes :-)

OpenID Concept still has issues.

[mpapet]

It might be okay for joe-shmoe consumer, but there are still common-sense issues standing in the way.

First and foremost is the dead-simple notion, "You mean I'm going to trust a single source for EVERY password for every site I go to? No thanks! I've had my identity stolen already."

If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

Re:OpenID Concept still has issues.

[Mr.+Slippery]

I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

But you can't be trusted for providing your own identification. An identification credential relies on some sort of certifying authority.

"Ok, Mr. Jones, I'll just need a piece of ID to cash this check."

"Fine, here you go."

"Um, what's this? A Polaroid (link for the kids) with your name written on it with a Sharpie? Is this something you made yourself?"

"Sure! Who's better to attest to my identify than me?"

Do you want my PC to answer the question of "Is this guy mpapet?" Might see some interesting posts under your name if it does. :-)

Re:OpenID Concept still has issues.

[internerdj]

Yeah but I can't trust myself either. Who knows how many accounts I have. I don't. Ok so most follow the same general scheme but then you get the outliers who won't accept a normal scheme so you have to have a unique password for their site. There are several accounts I don't even bother to guess I just use the magic questions to log in. Wow you must either know my password or some semi-private information about me to get into say my mortgage accounts or my retirement accounts. I would welcome an entity that would let me have a single login but customer service to reset my password. But I also will have to be convinced it is techologically sound to do that without handing out my info right and left.

Re:OpenID Concept still has issues.

It might be okay for joe-shmoe consumer

Joe is a plumber, stupid.

Re:OpenID Concept still has issues.

[Just+Some+Guy]

I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything.

That's a great idea! I think you should call it OpenID.

Re:OpenID Concept still has issues.

[WebCowboy]

If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

Absolutely not..it is quite forward thinking IMHO. I think that the concept behind OpenID is exactly what the 'net needs, because it enables exactly that--the barrier is technically pretty low to provide your openID yourself--on your very own system! The fact that such a thing is considered "crazy talk" seems sad to me. Something that acts as a "server" should not be considered "too technical" or "for experts only"--such thinking is almost criminal, and ISPs should not be allowed to keep customers from having ports listening on the 'net (there is not technical reason to block servers...NONE. My ISP doesn't and it provides MUCH better service quality than the main big cable/telco companies that do such nonsense).

To really "fix the 'net" I think the best slution would be to foster the belief in "personal server appliances". People would have servers like they have TVs or stereos or telephones (or it could BE the TV or a stereo system component or telephone). Your personal server would provide your personal services (OpenID, mail server, personal web profile).

Sadly we are going the opposite way. It is very sad, this push for "cloud computing" the way cloud computing is implemented now. It is a throwback to the pre-Altair days of "cathedrals" and big intimidating building-sized systems run by a big corporation's lab-coated employees.

Don't get me wrong--I like the idea of seamlessly accessing data from everywhere from a big "cloud of systems"--it's just that the way it is done now is the wrong way. Google, Amazon, Microsoft...they all make these "artificial clouds" housed in big glass boxes where you set up your virtual hosts--they've hijacked the "cloud" term and used it for consolidation instead of distribution, which is the spirit in which the internet came to be.

This trend of big companies setting up OpenID provider services but not consuming is caveman thinking--or at least very anti-internet. If you are to implement openID support in your infrastructure, the proper thing to do would be to become a consumer FIRST. This just shows that MSFT hasn't changed at all--from the time BillG wrote his anti-piracy manifesto until today--they are fighting the true spirit of what open, personal computing was trying to be.

Re:OpenID Concept still has issues.

[joeljkp]

My concern with OpenID:

Say I set up an OpenID with MyOpenID.com and use it to sign in to a dozen different sites, customize my account on those sites, create posts, store data, etc. Then MyOpenID.com goes away or starts sucking.

What then? Is there an easy way to transfer an existing OpenID-linked account at end-user sites to a new OpenID?

Someone Want to Tell Me

[neoform]

What exactly is it about OpenID that makes it something I would want to use? Everything I've seen about openid is chocked full of flaws that makes me wonder why any site admin would want to use it.

Re:Someone Want to Tell Me

You can have the same pseudonymous identity on multiple sites. People on Slashdot (some day, we can hope) will recognize you as the same guy from Livejournal, identi.ca, etc, and have the knowledge that those three are indeed the same person and not just similarly named accounts.

Anyone can run an OpenID server, it's really just an HTTP exchange that allows you to say "yes, person calling themselves that URL really is that person (because we control that URL, and that person has satisfied to us that he is him)".

My biggest problem is that it's so web-centric. The Internet being more than port 80, etc... but if you generalized it completely you'd reinvent Kerberos. Different tools for different jobs.

Re:Someone Want to Tell Me

[neoform]

This is something the user wants?

I certainly have no interest in having people be able to associate my account on suicidegirls to my facebook account to my msn messenger account...

(i don't really have a suicidegirls acc, i'm just using that as an example)

Re:Someone Want to Tell Me

You can create as many accounts as you want and use them as you choose. You can have one account to be a "technical smartass", one account to associate with people from work, and one account for posting on perv forums, whatever. You're still the decider of what pseudonyms do what.

Putting on my futurist hat, I see this as the first step in establishing a decentralized "karma" or reputation system.

Re:Someone Want to Tell Me

[Ash-Fox]

What about accounts for Anonymous Cowards?

Re:Someone Want to Tell Me

[larry+bagina]

you could set up a provider that auto authenticates everyone with the same Anonymous Coward account. Or randomly creates a one-time account. Like an automatic bugmenot.

Re:Someone Want to Tell Me

Well, there's no rule that says you're limited to a single account. Make a separate id for your fictional suicidegirls account if you like, but some people would be happy to be able to prove that their MSN account and Facebook account are owned by the same person (and even better, only have to log in once)

Re:Someone Want to Tell Me

[Ato]

But... If you have different OpenIDs for all sites you visit, what's the difference from not having an OpenID to begin with?

Distributed karma sounds like it might attract some people to the cross-site identification that OpenID is actually offering.

Re:Someone Want to Tell Me

[Zebedeu]

(i don't really have a suicidegirls acc, i'm just using that as an example)

Sure you don't.
*wink* *wink* *nudge* *nudge* say no more, say no more.

Misleading summary.

[blowdart]

You don't have to join the OpenID foundation to become an OpenID provider. Funnily enough Microsoft did join; but in Feburary.

But as I ranted on my blog, becoming a provider is useless these days; allowing authentication using OpenID would be far more impressive.

Provider only?

[Kurt+Granroth]

As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. That is, you can use your MS ID elsewhere but you can't use your existing ID on MS Live.

This seems to be pretty typical of companies adopting OpenID. Lately, quite a few companies have trumpeted their OpenID support... yet in almost all cases, it has been as a Provider only. Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer).

So this has resulted in a world where everybody wants to provide an ID but nobody wants to accept them. The goal is that I could create an ID on my own website (as an OpenID provider) and use that ID to log into Google and Yahoo and MS Live and the rest without having to create a separate user on all of them. The reality is that since nearly all of them are only providers, I would still have to create a ton of separate users.

Re:Provider only?

[Arancaytar]

Yeah - everybody wants the others to trust them, but nobody is willing to trust the other providers.

Re:Provider only?

[petermgreen]

The people this is good for is smaller sites. Afaict most users will already have an account from at least one openID provider. Therefore people will be able to log into your small site without having to create yet another ID.

Re:Provider only?

As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. [...] Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer). [...]

It's "relying party" not "relaying party."

Re:Provider only?

Well, I think the question that sites considering accepting OpenID have to ask is, what features do they want to allow people to use OpenID for?

OpenID makes a lot of sense for commenting, and I wish more sites (particularly those that already allow anonymous or semi-anonymous commenting) would use it that way.

But what about sites that rely on the demographic data they get when people sign up to comment? What about places that provide an interface to track users' previous comment posts (e.g., Gawker, Slashdot)? At what level do you really need to have an account (not just a login, but a something with which to associate your data) associated with the site in order to perform functions efficiently, and does the site really want to have accounts where someone else controls the login creation and credential process?

It's not just about trusting other providers, it's deciding when it's appropriate to allow semi-anonymous people access to functions of your site for which you'd normally require a login.

Re:Provider only?

[IAmGarethAdams]

There's no incentive for anyone to build an OpenID consuming site until its users have an incentive to *get* an OpenID.

If providers like Microsoft and Livejournal can ensure that huge amounts of users have OpenIDs, *then* you'll see more sites popping up where you can log in using those credentials. It'll start with personal blogs and small sites that can be set up quickly, but eventually it'll catch on with bigger sites.

So, this is a big step towards adoption for OpenID, and not something to really complain about

What about AOL?

[AndrewNeo]

People can complain that just because Live is providing OpenID identities, that they can't log in to say, Hotmail, with an OpenID.
How is this any different from AOL providing OpenID for their screennames?

Re:Rome wasn't built in a day, buddy . . .

[EraserMouseMan]

Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

I bet you doubted MS would ever become a provider of Open IDs too didn't ya? This news is progress. Don't be so negative about it.

Microsoft is not an OpenID Relying Party

[IGnatius+T+Foobar]

As many here have already mentioned, OpenID is only useful when there are lots of web sites that are willing to be an OpenID Relying Party. Microsoft is not. They only want to be a provider -- which is no surprise. Microsoft doesn't want to be open and useful and let you log in with an ID from some other place -- they want to be your identity provider, because they want to be the ones in control of your online identity.

Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.

Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. No one controls it but you. For non-geeks ... please, anyone but Microsoft.

Re:Microsoft is not an OpenID Relying Party

[fprintf]

I wonder if you can run the identity server on DD-WRT? That would be cool without requiring me to keep my computer running all the time!

Re:Microsoft is not an OpenID Relying Party

[edavid]

I do NOT want to be dependant on an identity provider be it open or not. For me OpenID is just another tracking device, and what I fear is sites mandating its use. If you want to control your online identity, refuse the use of email addresses as login or whateverID system, it is the only way.

Re:Microsoft is not an OpenID Relying Party

[Skapare]

See the list of software. If you can't get any of those to run on DD-WRT with a web server (I note that there is no tiny implementation in C, yet), then see the protocol and write your own (please share).

The cynical me

[Jeff+Hornby]

While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary

The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.

Re:The cynical me

[Ash-Fox]

The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.

I haven't exactly seen the Open Source community embracing it, to begin with. If they "abandon" it, it will have exactly the same attention it received before from the Open Source community.

Re:The cynical me

[Skapare]

The community embraces OpenID with the same zeal they would embrace OpenTeleMarketing.

It's for your security

[soren100]

"So, how long before I can use my OpenID to post on Slashdot?"

So how long before governments require OpenID to eliminate internet anonymity?

Given that the government has been pumping the idea for a while that somehow terrorists are "recruiting" online in places like Second Life , not long at all.

From the first article:

It is certain that virtual reality is doing real damage with intelligence, recruiting, fund raising and the spread of Islamic extremism. This assault may start with bytes, not bullets, but American generals will tell you, its a hot war all the same on a battlefield called "jihad.com."

Asked if the Internet is training up new battalions of those young people, Custer tells Pelley, "It's a self-fulfilling prophesy thats exactly what the jihadist Internet is there to do."

So in the name of protecting your freedom and liberty from terrorism, and protecting the children from the "jihadist internet", OpenID will become required to access any site worth accessing. That way terrorists can have their OpenID revoked, and your "freedom" is saved. It's very convenient, and besides, you have nothing to hide, right?

Re:It's for your security

[Ash-Fox]

Given that the government has been pumping the idea for a while that somehow terrorists are "recruiting" online in places like Second Life , not long at all.

I for one, can't wait for the day that national monuments are knocked over by giant flying penises.

Whoooops...

[wertigon]

Ok, remind me never to submit news stories while dead tired. You tend to miss quite a few things (like making sure the bloody headline is completely wrong; what I meant to say was "Microsoft joins the OpenID *Fray*").

Nice getting pwned by Slashdot. I love you too guys!

Re:Whoooops...

[wertigon]

Hmm, and I really should be using smileys more, as well... I mean it. Thanks for teaching me to remain humble. :D

Tinfoil hat??

[Riot.ATL]

Does anybody else not like the idea of using one ID to log in to several web sites?

Re:Tinfoil hat??

[david_thornley]

What's not to like about the idea? I have lots of accounts on websites with one fairly low-security password, and for these OpenID is a step forward in security (not that I care much, since by definition these are websites that I don't much care about security for). OpenID would be just fine for most of the sites I go to.

For sites like eBay or PayPal, I've got separate strong passwords, and am not interested in using OpenID.

I'm perfectly happy with using one ID to log in to several web sites, as long as none of those are ones I think I need good security for.

Re:Tinfoil hat??

[Riot.ATL]

Just the fact that if my OpenID were somehow compromised the attacker would have access to several sites I visit. They might not contain financial or personal information, but it's one headache I'd rather not deal with. I prefer to memorize several random passwords ... it's not that hard.

OpenID for /. may actually happen someday...

[Lord+Satri]

"So, how long before I can use my OpenID to post on Slashdot?"

For the minor Slashcode website I run (see sig - thousands of unique IP addresses reached daily, but still very minor), a project with one partner requires our Slash website to be OpenID-friendly.

We have little to no resources, so I can't provide any timeline or even if it will happen from us. But I sure want to. See also the slashcode-dev mailing list to learn more.

openid needs to fix shit altogether

[Vexorian]

It's getting insane, sites shouldn't, I mean should not, be able to provide openIds yet not accept ids from other sites, it is non-sense, it is bull and it really makes openid worthless, someone please fix this...

Re:openid needs to fix shit altogether

[Requiem18th]

Ah but can't you see, the reason they are abusing OpenID is because the freedom OpenID provides. Free communities can always be raided by greedy entities, and the only thing stopping them is public backslash, think prisoner game. You have to convince everybody to NOT accept OpenIDs from specific sites, an OpenID blacklist if you will, I'm all for it actually.

Re:openid needs to fix shit altogether

[Vexorian]

Dear mod: You don't mod a person redundant when you do not agree with him, the official mod for when you do not agree with a post and you think this is dig is -1 troll.

Re:Color Me Confused-- AND they are running ads

[davidsyes]

on buses saying, "Life Without Walls"... I say, "Life without windoze" would be better.

Valid Points... But...

[mpapet]

But you can't be trusted for providing your own identification. An identification credential relies on some sort of certifying authority.

True. I didn't make that part clear. Once you are certified as you, from then on it's your responsibility to manage it. Your mobile phone already does it and it's why the carriers should be charging ahead on these identity issues. We know they are too stupid to do anything novel.

Do you want my PC to answer the question of "Is this guy mpapet?

Not an operating system, no. A smart card token passing through the OS? Sure, no problem.

That is all nice in theory

[coryking]

the way to know if you're being phished is checking the URL and the site you're on.

That is all well in theory until your DNS gets hijacked too and "www.myopenid.com" points to the phishing site instead.

Re:That is all nice in theory

[Just+Some+Guy]

So host your own OpenID provider with pictures of your kids or something. If you don't see pictures of your kids, then it's the wrong site.

Re:That is all nice in theory

[aztracker1]

A lot of sites are doing that, banks, etc.. they have an image identifier, and some text that goes with the image, that you inputted. That gets displayed on login.

Re:That is all nice in theory

[Fred+Foobar]

the way to know if you're being phished is checking the URL and the site you're on.

That is all well in theory until your DNS gets hijacked too and "www.myopenid.com" points to the phishing site instead.

Then again, this problem exists with every other authentication method too. It is not limited to OpenID.

Re:That is all nice in theory

[DragonWriter]

Then again, this problem exists with every other authentication method too.

I'm not sure I agree: how does it apply to SSL authentication using client certificates?

Re:That is all nice in theory

[Arancaytar]

That is also perfect in theory. In practice, the browser will warn the user of a self-signed or mismatching certificate - and the user will ignore the warning.

Re:That is all nice in theory

[andy.ruddock]

myopenid.com already has the option to display a personal icon on the login page.

Re:That is all nice in theory

[DragonWriter]

That is also perfect in theory. In practice, the browser will warn the user of a self-signed or mismatching certificate - and the user will ignore the warning.

But--and here's the key point--this doesn't have the problem at issue, that is, even by doing this the malicious website can't steal the clients "universal login", because it never gets access, even with a fraudulent server certificate that the user chooses to accept, to the client certs private key.

Sure, any login is vulnerable to false flags if the user chooses to ignore the signs (which are pretty prominent with most modern browsers and bad SSL certs), but that's different than the asserted problem was that all shared authentication systems are vulnerable to having one malicious website that uses the shared login present a false flag that allows it to steal the client's shared login information and then reuse it to access other sites using the shared login. If your shared authentication method is using SSL with client certificates to authenticate client identity, this vulnerability doesn't exist, since the server, even by presenting a false flag, does not gain information which would allow it to pose as the client to other servers using the same authentication system.

Good multi-user personal provider?

[Just+Some+Guy]

I've been using SimpleID for a personal OpenID provider, but it seems to have problems with a lot of popular OpenID consumers like Plaxo and even Sourceforge itself (or more properly, they have problems with it, like ".failed to check_authentication(): failed to verify response"). I'd like the idea of a multi-user provider so that my wife can use it to. Any suggestions?

OpenID and phishing

[jesterzog]

This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur, a well as a collection of recommendations.

Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.

Re:OpenID and phishing

[Kashgarinn]

Actually, that might be the next real step in web 2.0

- When you install IE/Firefox, you can sign up for an openID login/pass. When you're using your browser on your machine, you'll be logged in, and any website which requires you to create a login, would then just ask you to "allow this website to register your openid" and you'll be instantly logged in.
- If you're on a public terminal, you just log in "from a public terminal" when you open the browser, and can instantly browse your websites like normal.

This really is the next step in making it easier to have just a single signon for websites, and I can't wait until a firefox plugin is created to let you automatically sign in when you open the browser, and sign out when you close it.

If you implement openid login in any other way than from the browser itself, you're opening yourself to phishing attacks, so integrating openid into the browsers really is the right step forward.

Logging in

[Skapare]

I want to be able to just login with my simple username Skapare, not some site name. That's not what OpenID does. And it really isn't going to work very well with billions of people all wanting nice simple names.

Re:Logging in

[WebCowboy]

I want to be able to just login with my simple username Skapare [blogspot.com], not some site name.

That isn't the job of OpenID--that is the job of the OpenID consumer as far as I can tell. You wouldn't WANT OpenIDs to be simple like yahoo or twitter or DNS, because you cannot guarantee uniqueness and name squatters will just take all the simple ones and you have the same old problem again.

Proper implementation of OpenIDs would map the more complicated but unique URI-style ID to your site alias, and like any proper forum site does with email addresses your openID would be hidden from view for privacy reasons (so you don't get spammers and general marketing scum crawling forums to scrape your ID off of them and create a profile on you).

This way you can create a site-based avatar but have the same credentials globally. Also, a good OpenID consumer would provide for one-to-many mapping, so that one actual user on the site could log in with any number of credentials. That way, if your OpenID provider leaves you in the lurch (say MSFT botches up their service to discourage people from using it and uses that as justification to shut the service down) the OpenID consumer can fall back to an alternative (even its own auth scheme instead of openID).

When you log into such an OpenID compliant site it would work similar to Ubuntu's login--you would get a prompt for your user ID, then when you submit it would go away to see what ID provider/scheme you use then forward you to the proper authentication provider's site for the password (or whatever method they use to verify your ID). The site-specific profile determines the default, or you can override the default by entering the desired OpenID instead of your "simple alias".

Re:Logging in

[Skapare]

That isn't the job of OpenID--that is the job of the OpenID consumer as far as I can tell. You wouldn't WANT OpenIDs to be simple like yahoo or twitter or DNS, because you cannot guarantee uniqueness and name squatters will just take all the simple ones and you have the same old problem again.

And this is why a universal ID system just can't work.

Proper implementation of OpenIDs would map the more complicated but unique URI-style ID to your site alias, and like any proper forum site does with email addresses your openID would be hidden from view for privacy reasons (so you don't get spammers and general marketing scum crawling forums to scrape your ID off of them and create a profile on you).

But how do I hide it from the web provider I log in to? They getting too much information with this. With the usual way, I use a throw-away email address to sign-up.

This way you can create a site-based avatar but have the same credentials globally. Also, a good OpenID consumer would provide for one-to-many mapping, so that one actual user on the site could log in with any number of credentials. That way, if your OpenID provider leaves you in the lurch (say MSFT botches up their service to discourage people from using it and uses that as justification to shut the service down) the OpenID consumer can fall back to an alternative (even its own auth scheme instead of openID).

That's just another potential flaw.

When you log into such an OpenID compliant site it would work similar to Ubuntu's login--you would get a prompt for your user ID, then when you submit it would go away to see what ID provider/scheme you use then forward you to the proper authentication provider's site for the password (or whatever method they use to verify your ID). The site-specific profile determines the default, or you can override the default by entering the desired OpenID instead of your "simple alias".

You are now dependent on 2 provider's being up at the same time (unless you host your own authentication server). And this still doesn't provide any simplification like using the same ID to login everywhere (unless you login with a big long complicated one).

But no matter what you do, it really isn't practical to scale up IDs to world wide (billions) and have simple ones for everyone.

Re:Logging in

[WebCowboy]

And this is why a universal ID system just can't work.

It can and it does work. The internet has a unique identifier for any given computer that is online at any given time. Yes, there is NAT and things that mean that many many machines have IPs like 192.168.1.1 but they are still uniquely addressable via the combination of IP addresses in the route to the machine (ie. the public IP used by the NAT router plus the local IP of the computer). MAC addresses and IPv6 addresses are numerous enough to uniquely identify users too. Further layers of apps/protocols/etc make these unique identifiers more user-friendly.

But how do I hide it from the web provider I log in to?

You don't. You choose a trustworthy provider. for some people that means BEING YOUR OWN PROVIDER--which is technically very possible with OpenID. Why would you need to hid your own information from yourself?

Also, isn't the present dog's breakfast of different authentication systems WORSE than OpenID? You give all this personal info, in varying formats, to multitudes of different entities and it is absolutely impossible to knwo where it is going. There are two sides to the traceability potentials in OpenID--and the flipside is that YOU can trace YOUR OWN info by providing your own identity. Proprietary systems or even big OpenID provider-only outfits like MSFT take that ability away.

You are now dependent on 2 provider's being up at the same time

No matter how OpenID is implemented that is ALWAYS how it works...THAT IS THE WHOLE POINT. You CANNOT have decentralised universal authentication schemes without the authentication provider plus an application provider being available. It's no different from Active Directory but on an internet-wide scale--you lose the ability to authorise if you lose contact with the AD server, even inf the DB server is on-line, but still AD/LDAP/Kerberos/whatever central directory service is considered essential in enterprise environments. Why are people find the concept to be a bad idea on the 'net?

And this still doesn't provide any simplification like using the same ID to login everywhere

You are totally wrong. It simplifies a whole bunch of stuff. You keep your identity information with one provider of your choice--even yourself. You only need to remember one password (or two, if you have a backup identity) even if you had different aliases on every site (and login aliases would be easier to remember than passwords, and safe to reuse everywhere). OpenID-style authentication could be used to manage name, address, e-commerce info without having to re-enter it everywhere--you only have to deal with the provider (again, it could be yourself) which would make it practical to control who gets access to what info (so requests from openID consumers could be denied to sensitive info if they are not white-listed)

OpenID is more than having a single, simple login name used everywhere--that is the one place you are right. It is easy to uniquely identify every internet user, but not practical to make it easily human readable. That is not really what OpenID is out there to solve--simple aliases/avatars are more of an "application level" domain issue, not a "service/utility level" issue as authentication and authorisation are.

Re:Logging in

[Skapare]

It can and it does work. The internet has a unique identifier for any given computer that is online at any given time. Yes, there is NAT and things that mean that many many machines have IPs like 192.168.1.1 but they are still uniquely addressable via the combination of IP addresses in the route to the machine (ie. the public IP used by the NAT router plus the local IP of the computer). MAC addresses and IPv6 addresses are numerous enough to uniquely identify users too. Further layers of apps/protocols/etc make these unique identifiers more user-friendly.

Web sites are fewer in number than there are people. So the domain names are usually adequate. People don't want to use IP addresses even with IPv4 (and will want to even less with IPv6). But even some domain names are getting unwieldy and that's with just several million of them. Scale that up to a few billion.

You don't. You choose a trustworthy provider. for some people that means BEING YOUR OWN PROVIDER--which is technically very possible with OpenID. Why would you need to hid your own information from yourself?

This is not a scalable solution. The problem isn't that MY OWN information might be utilized, but rather, that anyone's information might be utilized. The fix, using what OpenID has designed, would be to require everyone to be their own provider. And that doesn't fly.

Maybe the issue isn't clear. The problem with OpenID is that it allows authentication providers.

Also, isn't the present dog's breakfast of different authentication systems WORSE than OpenID? You give all this personal info, in varying formats, to multitudes of different entities and it is absolutely impossible to knwo where it is going. There are two sides to the traceability potentials in OpenID--and the flipside is that YOU can trace YOUR OWN info by providing your own identity. Proprietary systems or even big OpenID provider-only outfits like MSFT take that ability away.

There most certainly are problems with the existing system. But moving laterally isn't getting any closer to a clean universal solution.

No matter how OpenID is implemented that is ALWAYS how it works...THAT IS THE WHOLE POINT. You CANNOT have decentralised universal authentication schemes without the authentication provider plus an application provider being available. It's no different from Active Directory but on an internet-wide scale--you lose the ability to authorise if you lose contact with the AD server, even inf the DB server is on-line, but still AD/LDAP/Kerberos/whatever central directory service is considered essential in enterprise environments. Why are people find the concept to be a bad idea on the 'net?

I'm able to do a lot of SSH logins just find without having an authentication provider, and without giving the machine I login in to my password.

You are totally wrong. It simplifies a whole bunch of stuff. You keep your identity information with one provider of your choice--even yourself. You only need to remember one password (or two, if you have a backup identity) even if you had different aliases on every site (and login aliases would be easier to remember than passwords, and safe to reuse everywhere). OpenID-style authentication could be used to manage name, address, e-commerce info without having to re-enter it everywhere--you only have to deal with the provider (again, it could be yourself) which would make it practical to control who gets access to what info (so requests from openID consumers could be denied to sensitive info if they are not white-listed)

As soon as you login at one web site, you've now given them your password. They can now login on all your other sites. They know your universal ID. They know your universal password.

OpenID is more than having a single, simple login name used everywhere--that is the one place you are right. It

Re:Color Me Confused-- AND they are running ads

[Chosen+Reject]

Well, if you have no walls, you have no need for windows.

Re:Color Me Confused-- AND they are running ads

I still like the one:

"In a world without fences, who needs g(G)ates?"

Anonymity

[Gothmolly]

I like being someone else on every website out there. Much harder to track.

Don't enter your password

[searlea]

You only enter your userid into random-website - never your password.

The ID gives the site enough information to redirect you to your OpenID provider's website - and that's where you enter your password. You should see the same thing every time. If you're paranoid about security, use an OpenID provider with customizable login pages (e.g. Yahoo - allows you to choose a picture to display on your OpenID login page.)

After your OpenID provider authenticates you, you get redirected back to random-website which can then access the information you've explicitly allowed them to (maybe a nick-name, maybe an email address, maybe nothing...)

Random-website never has access to your password. Ever.

another way M.Soft can ruin computers and time

[idanity]

tell me it aint so... its bad enough that microsoft gets installed on HD's, now they think we want to make them portable... maybe to screw w/linux users, but really, it sounds like a AOL scam (when they send 10billion cds out, they get 400 buyers, who they lock into a nearly impossible contract to stop)... not only will m.s. ruin time, and computers, but also tons of plastic and perfectly good DVD's the force is gonna feel this one across the galaxy