Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Joins the OpenID Foundation

Posted by CmdrTaco on from the embrace-and-extend dept.

wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)

13 of 142 comments (clear)

  1. Color Me Confused by eldavojohn · · Score: 5, Informative

    Microsoft Joins the OpenID Foundation

    What a joke.

    Windows Live ID just became yet another OpenID-provider.

    True.

    they have undoubtedly put even more weight behind the OpenID initiative.

    False.

    So, how long before I can use my OpenID to post on Slashdot?

    Oh poor poor wertigon. You won't even be able to log into MS Live with it. I can go to wordpress, verisign, aol and all that jazz and login with my OpenID. I can go to sites listed as OpenID and login when I've never even been there before. Yet, when I go to the page that Microsoft lists for Live, I can't. Why is this? Because they're only providing IDs, not accepting other OpenIDs.

    You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!

    That's it. That's all you get. No future plans are listed to accept OpenID accounts either.

    OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

    When Microsoft fully supports it--when they both accept and provide IDs--that's when I'll agree with this headline. Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

    --
    My work here is dung.
    1. Re:Color Me Confused by Anonymous Coward · · Score: 5, Informative

      A lot of OpenID participants are provider only. Microsoft isn't helping the problem, but they aren't worse than a lot of other companies in this regard.

    2. Re:Color Me Confused by Smelly+Jeffrey · · Score: 4, Informative

      Mod parent up!

      This question is one that appears to not yet have been raised in the OpenID security discussion. In these times of phishing attacks on OpenID this should bear heavy on the mind.

      For more information, this article is a good jumping off point.

    3. Re:Color Me Confused by Anonymous Coward · · Score: 5, Informative

      There's no accredation. Login occurs by redirecting you back to your provider. You log in, or the provider establishes you're already logged in by means of cookies. Then your provider redirects you back, saying "yep, he's the holder of that openID".

      At no point does the accepting site get your user name and password. You can verify this by looking at your address bar. If you're still at the accepting site and they ask you for your user name and password, they're either doing it wrong or you're being phished.

    4. Re:Color Me Confused by Arancaytar · · Score: 3, Informative

      Um, duh - the way to know if you're being phished is checking the URL and the site you're on.

      With OpenID, you will never have to enter your password on any site but that of the OpenID provider. If the site you want to access asks you for your OpenID password, you're being scammed.

    5. Re:Color Me Confused by Dolda2000 · · Score: 4, Informative

      Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

      You have indeed missed the point, and even more than you think. You don't enter your OpenID password on the site you're authenticating to, at all. Ever. You just enter your OpenID username, and it redirects you to your actual OpenID provider, and there you enter your password (or, even better, use the SSL certificate installed in your browser, or your Kerberos credentials, or similar) to authenticate to it. It then redirects you back to the actual site with a cryptographic cookie that verifies your identity.

      If you're worried about phishing, that's a very different issue. Certainly a real one, though, but not anything you wouldn't be subjected to anyway. And, if you authenticate with something like an SSL certificate, it won't be a problem anyway.

    6. Re:Color Me Confused by Directrix1 · · Score: 2, Informative

      Its a LiveJournal service that he wants to let his MSN using friends (the ones with the shiny new OpenIDs) use. I believe it will work, unless you are saying LiveJournal has this half-functionality also.

      --
      Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
    7. Re:Color Me Confused by Rene+S.+Hollan · · Score: 4, Informative
      Depends on what you use the logins for. I use common logins, or at least passwords, across several sites, particularly ones I don't care too much about, and different ones for sensitive sites like banks, etc.

      So, yes, the number of logins you have should be more than one, but does not have to be as large as the number of sites you visit.

      But, to explain how OpenID, LiveID, and all such systems work without the site requesting the authentication requiring the authenticating credentials, it's like this:

      1) You authenticate with the authentication site. You get back a magic number, or some similar credential.

      2) You present this credential to the site that requests your authentication.

      3) It contacts the authentcation site with it, (perhaps authenticating itself too using means like a client cert), provides the credentials you supplied, and gets back all sorts of nifty metadata about you.

      Your credentials expire after some amount of time.

      LiveID works like this for all Microsoft and Microsoft-partnered sites. And the same for OpenID.

      The issue with having Microsoft accepting OpenIDs (besides the obvious econo-political one) is likely the nature of the metadata being different between what OpenID provides and what LiveID provides (unless OpenID supports the notion of arbitrary metadata per site requesting authentication, and so could support the LiveID metadata format).

      --
      In Liberty, Rene
    8. Re:Color Me Confused by holt · · Score: 4, Informative

      My understanding is that one should set up OpenID delegation, which allows you to have a static OpenID but still use third-party providers for the authentication portion. Anyone with a web presence can do this, and it's actually preferred to hosting your own OpenID server since it shows that someone else also vouches that you are who you say you are. Here is some further reading.

    9. Re:Color Me Confused by MatB · · Score: 3, Informative

      Livejournal was, IIRC, the first site to allow client side logging in using OpenID.

      Created by the same person (now working for Google), specifically because he hated the idea of non-authenticated blog comments but also hated logging in all over the place.

      A guy witha lot of great ideas. Shame he can't market a product for shit.

      --
      Mat Bowles
  2. Provider only? by Kurt+Granroth · · Score: 4, Informative

    As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. That is, you can use your MS ID elsewhere but you can't use your existing ID on MS Live.

    This seems to be pretty typical of companies adopting OpenID. Lately, quite a few companies have trumpeted their OpenID support... yet in almost all cases, it has been as a Provider only. Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer).

    So this has resulted in a world where everybody wants to provide an ID but nobody wants to accept them. The goal is that I could create an ID on my own website (as an OpenID provider) and use that ID to log into Google and Yahoo and MS Live and the rest without having to create a separate user on all of them. The reality is that since nearly all of them are only providers, I would still have to create a ton of separate users.

  3. Microsoft is not an OpenID Relying Party by IGnatius+T+Foobar · · Score: 4, Informative

    As many here have already mentioned, OpenID is only useful when there are lots of web sites that are willing to be an OpenID Relying Party. Microsoft is not. They only want to be a provider -- which is no surprise. Microsoft doesn't want to be open and useful and let you log in with an ID from some other place -- they want to be your identity provider, because they want to be the ones in control of your online identity.

    Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.

    Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. No one controls it but you. For non-geeks ... please, anyone but Microsoft.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
  4. Re:Tinfoil Hat by DragonWriter · · Score: 5, Informative

    In what ways does the OpenID system promote user anonymity?

    It promotes anonymity by allowing services to operate that require associating the initiator of one action with the initiator of a prior action, without requiring the "meatspace" identity of either. That is, it provides a reasonable means for a subscription-based service to verify "the person accessing this resource is the one that established this account" without ever identifying who the person is that established the account.

    Since many services rely on providing that kind of relation between the person establishing an account a person requesting a resource, it promotes anonymity to provide a means that allows those services to fill that need while users remain anonymous.