Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Joins the OpenID Foundation

Posted by CmdrTaco on from the embrace-and-extend dept.

wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)

45 of 142 comments (clear)

  1. Color Me Confused by eldavojohn · · Score: 5, Informative

    Microsoft Joins the OpenID Foundation

    What a joke.

    Windows Live ID just became yet another OpenID-provider.

    True.

    they have undoubtedly put even more weight behind the OpenID initiative.

    False.

    So, how long before I can use my OpenID to post on Slashdot?

    Oh poor poor wertigon. You won't even be able to log into MS Live with it. I can go to wordpress, verisign, aol and all that jazz and login with my OpenID. I can go to sites listed as OpenID and login when I've never even been there before. Yet, when I go to the page that Microsoft lists for Live, I can't. Why is this? Because they're only providing IDs, not accepting other OpenIDs.

    You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!

    That's it. That's all you get. No future plans are listed to accept OpenID accounts either.

    OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

    When Microsoft fully supports it--when they both accept and provide IDs--that's when I'll agree with this headline. Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

    --
    My work here is dung.
    1. Re:Color Me Confused by Leynos · · Score: 4, Insightful

      This is still a useful development. I can now allow MSN Messenger using friends to read my friends-only livejournal posts without having to ask them to sign up for LiveJournal or OpenID (which most people outside of geekdom will not have heard of)

      --
      "Did you exchange a walk on part in the war for a lead role in a cage?"
    2. Re:Color Me Confused by Anonymous Coward · · Score: 5, Informative

      A lot of OpenID participants are provider only. Microsoft isn't helping the problem, but they aren't worse than a lot of other companies in this regard.

    3. Re:Color Me Confused by Zebedeu · · Score: 5, Insightful

      Exactly, and this half-functionality is why this move undermines OpenID and what it stands for.

      You see, OpenID still works, but it works *better* if you use Microsoft's version. Soon enough you'll find that everyone's reaching for those MS ids just to remain compatible, and MS will get what they couldn't with their Passport scheme, or LiveId or however it's called these days.

      It's the same embrace, extend, extinguish bullshit again, and in my opinion, the community should just reject these MS-provided ids until they learn to play ball.

    4. Re:Color Me Confused by HungryHobo · · Score: 5, Insightful

      I just don't get the point of this. I go to a website and there's a little note *You can use your openid here!* and I sign in with it. but wait! it was a trick, they grabbed my username and password, now they have my openid login.

      Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

    5. Re:Color Me Confused by Smelly+Jeffrey · · Score: 4, Informative

      Mod parent up!

      This question is one that appears to not yet have been raised in the OpenID security discussion. In these times of phishing attacks on OpenID this should bear heavy on the mind.

      For more information, this article is a good jumping off point.

    6. Re:Color Me Confused by Anonymous Coward · · Score: 5, Informative

      There's no accredation. Login occurs by redirecting you back to your provider. You log in, or the provider establishes you're already logged in by means of cookies. Then your provider redirects you back, saying "yep, he's the holder of that openID".

      At no point does the accepting site get your user name and password. You can verify this by looking at your address bar. If you're still at the accepting site and they ask you for your user name and password, they're either doing it wrong or you're being phished.

    7. Re:Color Me Confused by larry+bagina · · Score: 3, Interesting

      "This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer. (Or in slashdot terms, everyone wants to top, no one wants to bottom).

      .There have been a spate of announcements recently with a number of companies both large and small announcing that their products will .support. OpenID. [.] All these OpenID support announcements and I am not getting anywhere with my OpenID. [..] it seems that while we have plenty of companies wanting to step up us providers (easy) and have their users use their OpenID.s with other applications, we don.t have enough companies stepping up as consumers of OpenID. [.] it seems that OpenID is flavor of the month and everybody is jumping on for the ride (I could post .Burger King Supports OpenID. and it would make the frontpage of digg). [.] It seems that most of the justification for the big companies and other apps not wanting to be providers is so that they can protect their customer base and maintain a hold..

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    8. Re:Color Me Confused by Arthur+B. · · Score: 2

      Answering your own question :)

      --
      \u262D = \u5350
    9. Re:Color Me Confused by Arancaytar · · Score: 3, Informative

      Um, duh - the way to know if you're being phished is checking the URL and the site you're on.

      With OpenID, you will never have to enter your password on any site but that of the OpenID provider. If the site you want to access asks you for your OpenID password, you're being scammed.

    10. Re:Color Me Confused by cparker15 · · Score: 2, Insightful

      "This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer.

      Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

      --
      Have you driven a fnord... lately?

      You must wait a little bit before using this resource; please try again later.

    11. Re:Color Me Confused by Blakey+Rat · · Score: 2, Insightful

      OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

      The idea is bad in the first place. The fact that numerous large .coms are OpenID *providers* but don't accept OpenIDs from other providers is only a symptom of the problem. I started thinking about this when reading suggestions for the new StackOverflow.com programming site.

      The problem is that when you use OpenID to log in to a website, you now rely on two sites to be up and running: the OpenID provider, and the site you're logging on to. If your OpenID provider decides OpenID isn't worth their time and cancels the service, you're SOL-- there's no way to log on to the site, and any data you've put on that site is lost forever.

      There's no way to "transfer" an OpenID between different providers, nor is there any way to "combine" multiple OpenIDs into a single OpenID (for example, combining LiveJournal's and Yahoo's so you can log on to the site with either.) Without that functionality, my data is being held BOTH by the site I'm entering it into AND by Yahoo/LiveJournal/whatever.

      The top suggestion for StackOverflow.com is to allow people to entire multiple OpenIDs for a single account, in case one of their OpenID providers goes down. I pointed out that this is a terrible idea, because knowing human nature, nobody will bother to enter a second OpenID until the first fails, and once the first fails they can't authenticate to enter the second anyway. If StackOverflow.com just had its own login system, it would avoid all these OpenID-related issues.

      Don't get me wrong, OpenID is great for sites where you want to authenticate, but you won't be storing any data on the site. For example, reading an article at the New York Times. But for any application where you're storing data, tying it to OpenID is a huge mistake.

      Anyway, the saddest thing is that Microsoft's Passport lets you merge IDs, so it's actually better-implemented than OpenID.

      (P.S. I know you can buy a Dreamhost account and a domain name and become your own OpenID provider which resolves all these issues. But if you want people to use the system, you need to make it usable by normal, average human beings. OpenID isn't.)

      --
      Comment of the year
    12. Re:Color Me Confused by Dolda2000 · · Score: 4, Informative

      Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

      You have indeed missed the point, and even more than you think. You don't enter your OpenID password on the site you're authenticating to, at all. Ever. You just enter your OpenID username, and it redirects you to your actual OpenID provider, and there you enter your password (or, even better, use the SSL certificate installed in your browser, or your Kerberos credentials, or similar) to authenticate to it. It then redirects you back to the actual site with a cryptographic cookie that verifies your identity.

      If you're worried about phishing, that's a very different issue. Certainly a real one, though, but not anything you wouldn't be subjected to anyway. And, if you authenticate with something like an SSL certificate, it won't be a problem anyway.

    13. Re:Color Me Confused by GiovanniZero · · Score: 2

      Thats not how openID works. When you goto login using your openID you just putin your ID and then it redirects you to your openID provider to have you login/provide authorization etc.

      --
      Mod me up, mod me down, do your worst you modding clown.
    14. Re:Color Me Confused by MindKata · · Score: 4, Insightful

      OpenID also allows more easily data mining what someone says and does on different web sites, which is a dream come true, for all data miners.

      So once most people start to use OpenID, then all governments have to do, is pass a law, to either requiring them to know your OpenID, or for them get your OpenID by any other means, and then that's all they need, to workout everything you have ever said online. OpenID is one step away from removing most anonymity on the Internet. This news fits in with the other Slashdot news today, about the Internet Human Rights PR smoke screen...
      http://it.slashdot.org/comments.pl?sid=1011555&cid=25554573

      Plus as people in power always seek power, then what they fear most, is the loss of power. So to them, finding out what people are saying is very important. (I.e. Knowledge is power). So one of the first things the some of the ones in power will do, is use widespead usage of OpenID to allow them to finding out every political view people post about them online.

      To big businesses and governments, OpenID isn't about convience of easy logins. OpenID to them, is about data mining and so it makes sense Microsoft would want to play along with that goal.

      --
      There are 10 kinds of people in the world... those who understand binary and those who don't.
    15. Re:Color Me Confused by Directrix1 · · Score: 2, Informative

      Its a LiveJournal service that he wants to let his MSN using friends (the ones with the shiny new OpenIDs) use. I believe it will work, unless you are saying LiveJournal has this half-functionality also.

      --
      Occam's razor is the blind faith in the natural selection of least resistance and in universal oversimplification. -- EF
    16. Re:Color Me Confused by ChrisA90278 · · Score: 3, Insightful

      "At no point does the accepting site get your user name and password. You can verify this by looking at your address bar."

      I bet I could get thousands of user name/password combos be putting up a web page that simply asked users to enter their user name and password. They call this "phishing". It would work.

      Using any kind of login that is shared over multiple places is always not-secure. Best practice is to compartmentalize potential damage. So that if some one figures out my password for (say) this website they can't then get into my bacnk account and email. If common logins do become popular then "phishing" will become very popular.

    17. Re:Color Me Confused by Rene+S.+Hollan · · Score: 4, Informative
      Depends on what you use the logins for. I use common logins, or at least passwords, across several sites, particularly ones I don't care too much about, and different ones for sensitive sites like banks, etc.

      So, yes, the number of logins you have should be more than one, but does not have to be as large as the number of sites you visit.

      But, to explain how OpenID, LiveID, and all such systems work without the site requesting the authentication requiring the authenticating credentials, it's like this:

      1) You authenticate with the authentication site. You get back a magic number, or some similar credential.

      2) You present this credential to the site that requests your authentication.

      3) It contacts the authentcation site with it, (perhaps authenticating itself too using means like a client cert), provides the credentials you supplied, and gets back all sorts of nifty metadata about you.

      Your credentials expire after some amount of time.

      LiveID works like this for all Microsoft and Microsoft-partnered sites. And the same for OpenID.

      The issue with having Microsoft accepting OpenIDs (besides the obvious econo-political one) is likely the nature of the metadata being different between what OpenID provides and what LiveID provides (unless OpenID supports the notion of arbitrary metadata per site requesting authentication, and so could support the LiveID metadata format).

      --
      In Liberty, Rene
    18. Re:Color Me Confused by holt · · Score: 4, Informative

      My understanding is that one should set up OpenID delegation, which allows you to have a static OpenID but still use third-party providers for the authentication portion. Anyone with a web presence can do this, and it's actually preferred to hosting your own OpenID server since it shows that someone else also vouches that you are who you say you are. Here is some further reading.

    19. Re:Color Me Confused by Blakey+Rat · · Score: 2, Insightful

      That's getting to a solution, but it's still far too difficult for the average person to do. And, if I'm understanding correctly, it actually makes your data held by THREE servers now:

      1) The server you're trying to log into
      2) The server hosting your "delegation" page
      3) The server providing the OpenID

      Someone correct me if I'm understanding this wrong.

      --
      Comment of the year
    20. Re:Color Me Confused by MindKata · · Score: 2, Interesting

      "Can we get +1 and -1 Paranoid mods"

      Its clear from your comment, you have no real knowledge of power seeking. So while your getting your +1 & -1 mod points, you should also ask for a +1 & -1 Boiled Frog mod. Because some people can see how power games are played, and some like you, have not been burned enough yet, so fail to see how the power games are played. Try reading some history, then you will see how throughout history, knowledge is used to gain and maintain power. While your at it, you should also try read up on the connections between PR and how big business and governments have used that to great effect, over the past nearly a century. Here's a clue, the origional name for PR was Propaganda, but Public Relations sounds so much more friendly than Propaganda, so they call it PR, but it has the same goal, as its the same thing, just with a different name.

      Many of the people who seek power are relentless power seekers. They are as obsessive about the need to gain power, as many programmers are obsessive about learning some new aspect of programming. While you may not know about the obsession for power, I would hope you can however relate to the intensity of obsession, to seek something they want.

      --
      There are 10 kinds of people in the world... those who understand binary and those who don't.
    21. Re:Color Me Confused by MatB · · Score: 3, Informative

      Livejournal was, IIRC, the first site to allow client side logging in using OpenID.

      Created by the same person (now working for Google), specifically because he hated the idea of non-authenticated blog comments but also hated logging in all over the place.

      A guy witha lot of great ideas. Shame he can't market a product for shit.

      --
      Mat Bowles
    22. Re:Color Me Confused by aztracker1 · · Score: 2, Insightful

      I have a simple solution for you... banking sites aren't likely to *ever* accept openid as a login method. However, for entering comments on a blog you've never been to before, and may never see again, or various other sites, it's a godsend. Not having to create a login, wait for an email, so you can validate your address, then go into the site again, just to put a comment of "thanks" on a blog entry that helped you to do something you were looking for is a nice thing.

      OpenID imho isn't an end-all be-all solution for anything that needs to be super-secure, or imho anything dealing with money. It is a great idea for sites you haven't been to, may not return to, and don't really care about, when you need short-term access.

      --
      Michael J. Ryan - tracker1.info
    23. Re:Color Me Confused by Raenex · · Score: 2, Insightful

      You can have more than one OpenID. Sites can still allow anonymous posting.

      Besides that, there's an even bigger id that most people are tied to and don't even think about -- their IP address. How much data flows through your ISP? Talk about single points of failure. People also tend to have one email address and don't use encryption.

      If you are concerned about government-thwarting privacy then you have to take active measures to gain it. OpenID is no more of a problem than any of the other things I have mentioned. On the other hand, if you don't care about people tracking your blog postings -- or maybe you want an identity -- OpenID is great.

  2. Tinfoil Hat by krgallagher · · Score: 3, Insightful
    "So, how long before I can use my OpenID to post on Slashdot?"

    So how long before governments require OpenID to eliminate internet anonymity?

    --

    Insert Generic Sig Here:

    1. Re:Tinfoil Hat by dnwq · · Score: 5, Interesting
      Note to the oblivious: OpenID doesn't eliminate anonymity. Far from it.

      Wikipedia:

      Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.

    2. Re:Tinfoil Hat by DragonWriter · · Score: 5, Informative

      In what ways does the OpenID system promote user anonymity?

      It promotes anonymity by allowing services to operate that require associating the initiator of one action with the initiator of a prior action, without requiring the "meatspace" identity of either. That is, it provides a reasonable means for a subscription-based service to verify "the person accessing this resource is the one that established this account" without ever identifying who the person is that established the account.

      Since many services rely on providing that kind of relation between the person establishing an account a person requesting a resource, it promotes anonymity to provide a means that allows those services to fill that need while users remain anonymous.

  3. It's a trick. Get an axe by TheRealMindChild · · Score: 3, Funny

    Patches are always welcome wertigon ;)

    Yeah. You are welcome to write a patch. That doesn't mean Taco will even use it. Don't let his comment mislead you.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  4. OpenID Concept still has issues. by mpapet · · Score: 3, Interesting

    It might be okay for joe-shmoe consumer, but there are still common-sense issues standing in the way.

    First and foremost is the dead-simple notion, "You mean I'm going to trust a single source for EVERY password for every site I go to? No thanks! I've had my identity stolen already."

    If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
    1. Re:OpenID Concept still has issues. by internerdj · · Score: 2, Insightful

      Yeah but I can't trust myself either. Who knows how many accounts I have. I don't. Ok so most follow the same general scheme but then you get the outliers who won't accept a normal scheme so you have to have a unique password for their site. There are several accounts I don't even bother to guess I just use the magic questions to log in. Wow you must either know my password or some semi-private information about me to get into say my mortgage accounts or my retirement accounts. I would welcome an entity that would let me have a single login but customer service to reset my password. But I also will have to be convinced it is techologically sound to do that without handing out my info right and left.

    2. Re:OpenID Concept still has issues. by Anonymous Coward · · Score: 2, Funny

      It might be okay for joe-shmoe consumer

      Joe is a plumber, stupid.

  5. Misleading summary. by blowdart · · Score: 4, Insightful

    You don't have to join the OpenID foundation to become an OpenID provider. Funnily enough Microsoft did join; but in Feburary.

    But as I ranted on my blog, becoming a provider is useless these days; allowing authentication using OpenID would be far more impressive.

  6. Provider only? by Kurt+Granroth · · Score: 4, Informative

    As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. That is, you can use your MS ID elsewhere but you can't use your existing ID on MS Live.

    This seems to be pretty typical of companies adopting OpenID. Lately, quite a few companies have trumpeted their OpenID support... yet in almost all cases, it has been as a Provider only. Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer).

    So this has resulted in a world where everybody wants to provide an ID but nobody wants to accept them. The goal is that I could create an ID on my own website (as an OpenID provider) and use that ID to log into Google and Yahoo and MS Live and the rest without having to create a separate user on all of them. The reality is that since nearly all of them are only providers, I would still have to create a ton of separate users.

  7. Microsoft is not an OpenID Relying Party by IGnatius+T+Foobar · · Score: 4, Informative

    As many here have already mentioned, OpenID is only useful when there are lots of web sites that are willing to be an OpenID Relying Party. Microsoft is not. They only want to be a provider -- which is no surprise. Microsoft doesn't want to be open and useful and let you log in with an ID from some other place -- they want to be your identity provider, because they want to be the ones in control of your online identity.

    Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.

    Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. No one controls it but you. For non-geeks ... please, anyone but Microsoft.

    --
    Tired of FB/Google censorship? Visit UNCENSORED!
    1. Re:Microsoft is not an OpenID Relying Party by fprintf · · Score: 2, Interesting

      I wonder if you can run the identity server on DD-WRT? That would be cool without requiring me to keep my computer running all the time!

      --
      This post brought to you by your friendly neighborhood MBA.
  8. The cynical me by Jeff+Hornby · · Score: 2, Insightful

    While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary

    The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.

    --
    Why doesn't Slashdot ever get slashdotted?
    1. Re:The cynical me by Skapare · · Score: 2, Insightful

      The community embraces OpenID with the same zeal they would embrace OpenTeleMarketing.

      --
      now we need to go OSS in diesel cars
  9. Re:Someone Want to Tell Me by neoform · · Score: 3, Interesting

    This is something the user wants?

    I certainly have no interest in having people be able to associate my account on suicidegirls to my facebook account to my msn messenger account...

    (i don't really have a suicidegirls acc, i'm just using that as an example)

    --
    MABASPLOOM!
  10. Whoooops... by wertigon · · Score: 4, Funny

    Ok, remind me never to submit news stories while dead tired. You tend to miss quite a few things (like making sure the bloody headline is completely wrong; what I meant to say was "Microsoft joins the OpenID *Fray*").

    Nice getting pwned by Slashdot. I love you too guys!

    --
    systemd is not an init system. It's a GNU replacement.
  11. Tinfoil hat?? by Riot.ATL · · Score: 2, Interesting

    Does anybody else not like the idea of using one ID to log in to several web sites?

  12. Re:Someone Want to Tell Me by Anonymous Coward · · Score: 2, Interesting

    You can create as many accounts as you want and use them as you choose. You can have one account to be a "technical smartass", one account to associate with people from work, and one account for posting on perv forums, whatever. You're still the decider of what pseudonyms do what.

    Putting on my futurist hat, I see this as the first step in establishing a decentralized "karma" or reputation system.

  13. Re:It's for your security by Ash-Fox · · Score: 2, Funny

    Given that the government has been pumping the idea for a while that somehow terrorists are "recruiting" online in places like Second Life , not long at all.

    I for one, can't wait for the day that national monuments are knocked over by giant flying penises.

    --
    Change is certain; progress is not obligatory.
  14. Re:openid needs to fix shit altogether by Requiem18th · · Score: 2, Interesting

    Ah but can't you see, the reason they are abusing OpenID is because the freedom OpenID provides. Free communities can always be raided by greedy entities, and the only thing stopping them is public backslash, think prisoner game. You have to convince everybody to NOT accept OpenIDs from specific sites, an OpenID blacklist if you will, I'm all for it actually.

    --
    But... the future refused to change.
  15. Good multi-user personal provider? by Just+Some+Guy · · Score: 2

    I've been using SimpleID for a personal OpenID provider, but it seems to have problems with a lot of popular OpenID consumers like Plaxo and even Sourceforge itself (or more properly, they have problems with it, like ".failed to check_authentication(): failed to verify response"). I'd like the idea of a multi-user provider so that my wife can use it to. Any suggestions?

    --
    Dewey, what part of this looks like authorities should be involved?
  16. OpenID and phishing by jesterzog · · Score: 3, Interesting

    This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur, a well as a collection of recommendations.

    Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.