Yes, but in order to be able to use it as an online ID for authentication at third party sites (instead of having dozens of different IDs for each -- which is what OpenID is trying to address), whatever is behind that URL will need to speak some kind of protocol, so that authentication requests coming in will be directed to an Identity Provider and processed accordingly. In other words, the stuff that i-names do for you for the extra $10.
Otherwise, the.name/URL ID is usefull just for printing on business cards and displaying static information on a webpage, and not as global online ID.
We'd like the answer to that question to be 'nothing', i.e. the IdP to automagically detect it's not really you at the other end of the line.
But since the IdP cannot look you in the eye or touch you, it comes down to the authentication mechanism between the two of you, and the good thing is that the choice is yours. OpenID doesn't solve this problem, but it does help it a bit.
You can choose an IdP that provides authentication mechanisms that satisfy you, and these mechanisms can evolve; see for example what idanalytics.com are doing - trying to detect fraud based on behavior trends.
Or you could choose to run your IdP on your laptop for example, which in turn requires your physical presence (through biometric devices). Or you could employ a form of two-factor authentication, or have the IdP confirm every transaction through a separate channel (e.g SMS/phone call etc.)
But true, all of these can fail in one way or another.
P.S. I read many of the comments as "what possible good is yet another identifier namespace" and not so much your question.
The majority of the comments so far only show how poor the online identity problems are percieved even by the geeks around here, and even though almost all of us have them. So the problem that OpenID and similar identity protocols are trying to solve is... :
"Wouldn't it be nice if, instead of keeping a long list of usernames/passwords for all the sites you have registered at, there could be only one that can be used anywhere, and keeping everything secure of course?"
A typical use case would be: - you get up in the morning, start your browser, authenticate at your Identiti Provider (which YOU have chosen or you can even host it yourself), and you are password-free for as long you keep the browser open (or configured between you and your IdP) - you go to a site which requires you to login, and supports OpenID - put it your ID (no password), and click login - the site resolves the ID and contacts the IdP to obtain an assertion about the user's identity - (the cool part) the IdP prompts you (the user) about the information that's requested so you can approve the transaction - (optionally you can streamline the step above for trusted sites) - you're logged in!
And all except the first step happened in a couple of seconds, with a click. The only thing you have to remember is your ID and password at your IdP, not a whole bunch of them!
Trying to answer some of the questions I've seen: - Can something like this be done with emails as identifieres? don't think so. - Is this secure? Yes, but don't take my word for it. Go check the protocol specs. This is what's called user-centric: the IdP needs the user's approval for all authentication requests, and the data disclosed along with them. - Are the $20 XRIs mandatory? No, you can use URLs as identifiers, though there are / may be costs associated with them as well (registration, setup and hosting, depending how much you want to "own" them). The XRIs are the full service package. - Are you stuck with an ID for life (someone said he liked being able to regularly change IDs)? No - you can get as many as you want, but if you do want to stick to one - you can, and you will still be able to switch Identity Providers (this is done through the delegation feature).
So please check a bit into the details of it before bashing it, or watch this presentation which explains it pretty well (though it's not OpenID, but something similar): http://www.identity20.com/media/OSCON2005/
Slashdot Mirror
Yes, but in order to be able to use it as an online ID for authentication at third party sites (instead of having dozens of different IDs for each -- which is what OpenID is trying to address), whatever is behind that URL will need to speak some kind of protocol, so that authentication requests coming in will be directed to an Identity Provider and processed accordingly. In other words, the stuff that i-names do for you for the extra $10.
.name/URL ID is usefull just for printing on business cards and displaying static information on a webpage, and not as global online ID.
Otherwise, the
We'd like the answer to that question to be 'nothing', i.e. the IdP to automagically detect it's not really you at the other end of the line.
But since the IdP cannot look you in the eye or touch you, it comes down to the authentication mechanism between the two of you, and the good thing is that the choice is yours. OpenID doesn't solve this problem, but it does help it a bit.
You can choose an IdP that provides authentication mechanisms that satisfy you, and these mechanisms can evolve; see for example what idanalytics.com are doing - trying to detect fraud based on behavior trends.
Or you could choose to run your IdP on your laptop for example, which in turn requires your physical presence (through biometric devices). Or you could employ a form of two-factor authentication, or have the IdP confirm every transaction through a separate channel (e.g SMS/phone call etc.)
But true, all of these can fail in one way or another.
P.S. I read many of the comments as "what possible good is yet another identifier namespace" and not so much your question.
The majority of the comments so far only show how poor the online identity problems are percieved even by the geeks around here, and even though almost all of us have them. So the problem that OpenID and similar identity protocols are trying to solve is... :
"Wouldn't it be nice if, instead of keeping a long list of usernames/passwords for all the sites you have registered at, there could be only one that can be used anywhere, and keeping everything secure of course?"
A typical use case would be:
- you get up in the morning, start your browser, authenticate at your Identiti Provider (which YOU have chosen or you can even host it yourself), and you are password-free for as long you keep the browser open (or configured between you and your IdP)
- you go to a site which requires you to login, and supports OpenID
- put it your ID (no password), and click login
- the site resolves the ID and contacts the IdP to obtain an assertion about the user's identity
- (the cool part) the IdP prompts you (the user) about the information that's requested so you can approve the transaction
- (optionally you can streamline the step above for trusted sites)
- you're logged in!
And all except the first step happened in a couple of seconds, with a click. The only thing you have to remember is your ID and password at your IdP, not a whole bunch of them!
Trying to answer some of the questions I've seen:
- Can something like this be done with emails as identifieres? don't think so.
- Is this secure? Yes, but don't take my word for it. Go check the protocol specs. This is what's called user-centric: the IdP needs the user's approval for all authentication requests, and the data disclosed along with them.
- Are the $20 XRIs mandatory? No, you can use URLs as identifiers, though there are / may be costs associated with them as well (registration, setup and hosting, depending how much you want to "own" them). The XRIs are the full service package.
- Are you stuck with an ID for life (someone said he liked being able to regularly change IDs)? No - you can get as many as you want, but if you do want to stick to one - you can, and you will still be able to switch Identity Providers (this is done through the delegation feature).
So please check a bit into the details of it before bashing it, or watch this presentation which explains it pretty well (though it's not OpenID, but something similar):
http://www.identity20.com/media/OSCON2005/
Disclaimer: I do work in this field.