Forgot your password?
typodupeerror
Social Networks The Internet IT

MySpace Joins OpenID Coalition 272

Posted by timothy
from the inflection-point-perhaps dept.
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others." Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
This discussion has been archived. No new comments can be posted.

MySpace Joins OpenID Coalition

Comments Filter:
  • by kgwilliam (998911) on Wednesday July 23, 2008 @10:39AM (#24304253)
    "Initially support is to use MySpace OpenIDs as providers only -- i.e. you cannot logon to MySpace with an OpenID created elsewhere" Ummm.... Doesn't that sortof defeat the purpose of a single username/password system? You have to create an OpenID for MySpace, and then you have to create a different OpenID for site XYZ. How many other sites are going to require that you create a new OpenID for their site?
    • by CastrTroy (595695) on Wednesday July 23, 2008 @10:48AM (#24304421) Homepage
      What I don't get about OpenID is that it seems to give my OpenID provider access to every site I log onto. As much trouble as it is having to manage hundreds of logins, I don't think the proper solution is to proxy all my logins to some third party.
      • by maxume (22995) on Wednesday July 23, 2008 @10:54AM (#24304507)

        You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).

        For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.

      • by Chyeld (713439) <chyeld@gmai l . c om> on Wednesday July 23, 2008 @11:14AM (#24304871)

        It doesn't. And you aren't.

        Implemented properly, OpenID works thusly:

        You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".

        The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.

        The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".

        This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.

        The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.

      • by spottedkangaroo (451692) * on Wednesday July 23, 2008 @11:15AM (#24304877) Homepage

        authentication vs authorization...

        Normally you'd only use openid for authentication (who are you) and there would be an additional password mechanism for authorization (do I have the right to be here).

        Both could be combined with other methods, or you could create your own openid provider ...

        You can also combine delegate your website to a provider of choice, and if they start sucking you can change to another provider without changing your credentials at the sites you frequent.

      • by Cajun Hell (725246) on Wednesday July 23, 2008 @12:08PM (#24305851) Homepage Journal
        So don't use a third party.
    • by Wolfger (96957) <{moc.liamg} {ta} {regflow}> on Wednesday July 23, 2008 @10:53AM (#24304491) Homepage
      Absolutely. This is why OpenID is going nowhere fast. Everybody wants to be a provider, but virtually nobody wants to accept OpenID credentials from other sites. LJ does, and to my surprise Identi.ca has since day one, but most "OpenID sites" are providers only. It's sad, and makes baby Stallman cry.
    • by ohtani (154270) on Wednesday July 23, 2008 @11:16AM (#24304905) Homepage

      You completely misunderstood the article and the concept of OpenID.

      The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.

      OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication for (e.g., MySpace) allows you to login to other sites which support OpenID as a method of authentication. So if I had a user account on MySpace named ohtani, I would login to another site as www.myspace.com/ohtani. I am then redirected to the MySpace website to login if I am not already logged in, and asked to accept that MySpace can pass on the credentials to the site I'm logging in to. That link is then established and the OpenID supporting site marks me as authenticated as the MySpace user.

      This is where it gets tricky for places like MySpace: Say I used Yahoo! as an OpenID provider. Or even my own website (which currently does indeed allow me to login with OpenID elsewhere). MySpace can't exactly have a user like me login to their service as my website and edit my profile. They have to have some form of a mechanism of creating the user at that point if that OpenID name has never been seen. But the user name used (the OpenID URI) is, well, odd for MySpace. So they'd probably ask one to choose a MySpace user name that would map to it. From there, MySpace would allow one to login to that account any time that OpenID is used for authentication. At least that's PROBABLY what will happen. Not all sites work like this. For example, LiveJournal (created by the very people who helped make OpenID) lets one login with an OpenID, but an account with that OpenID is then created with limited functionality. Friends and comments are allowed, but no posting to your own journal.

      OpenID support doesn't require you to "create" an OpenID to use it. Your existing user ID on an OpenID provider IS your OpenID. Any site that becomes an OpenID provider is simply allowing you to use an OpenID name they specify to you (often in the form of username.domain.tld or domain.tld/username) to log in elsewhere. You do nothing but just use it elsewhere. There are popular sites supporting OpenID. There's also plug-ins for blogging software to support being an OpenID provider or consumer.

      On a different note, with OpenID becoming more and more popular, this will mean that we DO have to be careful and come up with a mechanism for anti-spam via OpenID, especially in cases where the system is more automated like LiveJournal's. Or else a spammer could simply have one domain and with that domain an infinite number of users able to login by simply changing the OpenID slightly (e.g.: a.example.com, b.example.com, c.example.com, aa.example.com, etc)

    • by elucido (870205) on Wednesday July 23, 2008 @03:52PM (#24309833)

      People always complain about internet hackers and cyberstalking, and cyberbullying, but Myspace was invented to assist the stalkers, bullies and hackers.

      OpenID makes life even easier for hackers by centalizing the sensitive information even further. Now when you want to find your blackmail material, you can just search one ID and find all of it.

  • by techiemikey (1126169) on Wednesday July 23, 2008 @10:40AM (#24304255)
    "now if only Microsoft would support it"
    I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
    • by Renderer of Evil (604742) on Wednesday July 23, 2008 @11:12AM (#24304825) Homepage
      hey, at least Slashdot supports OpenID oh wait...
  • Blah Blah Blah... (Score:5, Insightful)

    by anom (809433) on Wednesday July 23, 2008 @10:40AM (#24304263)
    Until you actually let someone authenticate to your site using OpenID, you're not really helping anything. You're just spreading BS about how open you are when you're really just supporting further centralization around yourself. Until the big names start acting as Relying Parties, I don't wanna hear about it.
    • by Danathar (267989) on Wednesday July 23, 2008 @03:31PM (#24309555) Journal

      Yup..I agree. I looked into OpenID about a month back to see how it had progressed.

      Question 1 was...which openId provider do I choose that I already had an account on.

      Then after that was settled, I quickly realized that there were NO SITES THAT I USED THAT WOULD ACCEPT OPENID AUTHENTICATION!

      Yea sure, they have a list of dinky sites that niche groups use, but for the most part (like 99.9%) it's worthless.

  • by LighterShadeOfBlack (1011407) on Wednesday July 23, 2008 @10:42AM (#24304297) Homepage

    Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use

    No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.

    Jesus fucking Christ, is proof-reading really that hard?

  • Problem (Score:5, Interesting)

    by Rinisari (521266) on Wednesday July 23, 2008 @10:44AM (#24304329) Homepage Journal

    A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.

    • Re:Problem (Score:3, Interesting)

      by Ngarrang (1023425) on Wednesday July 23, 2008 @10:48AM (#24304413) Journal

      OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.

      • by 0xygen (595606) on Wednesday July 23, 2008 @11:16AM (#24304913)

        I was thinking it would be nice to have a two-factor OpenID authentication provider, which might alleviate this, but only to a limited extent.
        I gather Verisign already do this if you use them as your provider(!) with a SecurID-ish token.

        I am my own OpenID provider, which scarily means that if my web hosting gets hacked, irrespective of what authentcation I use, the hacker can impersonate me. So as you say, it does make a very tempting target with a single point of failure.

        • Re:Problem (Score:3, Interesting)

          by gilgongo (57446) on Wednesday July 23, 2008 @05:44PM (#24311443) Homepage Journal

          MyOpenID.com has two factor, and has had it for a while now.

          But all this "single point of failure" stuff is crap, isn't it? Most people (probably not /. readers) have the same damn password for everything. If one of their accounts is cracked - how is that safer than OpenID? In fact, OpenID would probably be a lot safer if it was two factor in that scenario.

          In short, OpenID is about the real world, which makes a refreshing change from the years and years of stupid "security" systems that end up forcing people to put passwords on sticky notes on their monitors.

    • Re:Problem (Score:4, Insightful)

      by TheRedSeven (1234758) on Wednesday July 23, 2008 @10:48AM (#24304419) Homepage
      An obvious concern related to the parent--as more and more transactions happen over the internet, do I want a single password for all of them?

      Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).

      For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.
      • Re:Problem (Score:5, Informative)

        by Anonymous Coward on Wednesday July 23, 2008 @11:05AM (#24304683)
        So pick an OpenID provider that uses something more secure than a single password. There are providers that use hardware tokens, OTP's, etc.
        • Re:Problem (Score:4, Insightful)

          by Jellybob (597204) on Wednesday July 23, 2008 @11:17AM (#24304933) Journal

          I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.

        • by Chyeld (713439) <chyeld@gmai l . c om> on Wednesday July 23, 2008 @12:06PM (#24305825)

          And in addition, don't do business with companies that have access to your 'valuable' information that don't get the difference between authentication and authorization.

          OpenID is great for saying "I'm JimBob of JimBoblandia" and in reality, that's all most logins are used for.

          But for places that are actually using it for access control, then you should be including a seperate layer to authorize the user in addition to authenticating them. If your bank lets you just walk into the nearest branch and close your accounts by showing just a single form of ID, you should switch banks immediately. The same goes for the online world.

  • by unity100 (970058) on Wednesday July 23, 2008 @10:44AM (#24304337) Homepage Journal
    losing just one password or openid databases getting hacked will mean loss of all services related to it, even if they have other login systems.
    • Re:Insecure (Score:2, Interesting)

      by Scotteh (885130) on Wednesday July 23, 2008 @10:50AM (#24304447)
      If an ID could be created to authenticate on all these sites, then losing the security of that ID could be fixed easily by canceling it and creating a new one. It's the same thing with credit cards. You could have multiple copies of the same card and if you lose one, you call in and get them all canceled.
      • by unity100 (970058) on Wednesday July 23, 2008 @11:26AM (#24305099) Homepage Journal
        losing does not mean 'losing instantly and immediately canceling'.

        by the time you cancel (and if you can, actually manage to cancel) your details in all those sites would have gone out into the wild already. its not a credit card. a credit card and its debts are still under bank's control regardless of its lost or not. your personal details are not as such.
    • Re:Insecure (Score:3, Interesting)

      by thrillseeker (518224) on Wednesday July 23, 2008 @11:08AM (#24304753)
      That's why you use a very secure password with an openid provider with a good reputation - which would probably not be Myspace or the like, but a dedicated openid provider that has been around a while. Some providers allow the used of a signed certificate to facilitate the login - that is you can choose a.really.long.and.damn.near.unguessable.password.that.is.so.long.that.it.is.a.pain.to.type.but.which.you.can.remember.except.when.youre.drunk, and then you use a certificate established between your trusted machine at home and the openid provider, which bypassed the password handshake by exchanging the certificate data automatically.
  • Damned MS... (Score:2, Insightful)

    by db32 (862117) on Wednesday July 23, 2008 @10:46AM (#24304389) Journal
    I really wanted my Hotmail account to be compromised when my Google/Myspace/Facebook/Amazon/Ebay/Paypal accounts are all compromised by the single sign on. Now they will have to get my OpenID AND my Passport logons.

    Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

    With any luck some banks and credit cards will adopt this. So now you can have everything stolen from you with a single username/password combination that was probably lifted from you through a fake website or one of the dozens of account stealing malware bits that you installed to get "OMG Ponies Wallpaper & Pointers!". For bonus points, being able to pull a drive by install of malware to steal this account from a MySpace banner and then using that to steal all of their money, email addresses, and social webpages would be great. Bonus points if you manage to auction off all of their personal possesions through their ebay account and then keep the money through their paypal account.
    • Re:Damned MS... (Score:3, Interesting)

      by gbjbaanb (229885) on Wednesday July 23, 2008 @11:16AM (#24304901)

      And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.

      You mean like Passport (or Windows Live ID) is a good idea?

      At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.

    • by spinkham (56603) on Wednesday July 23, 2008 @02:15PM (#24308293)

      SSO centralizes the risk, then you can decide how much to invest in that risk.
      This is how the US military CAC system works, with smartcards issued to all personal and SSO for many services. Not all services are SSO enabled mind you, but their security needs are higher then most.
      For OpenID, I use Verisign's PIP service with Firefox plugin to combat spoofing and hardware token for 2 factor auth, and I'm quite comfortable with the security. Unfortunately there's not too many places to use it, as everyone wants to be a provider but not a consumer of OpenID, but that's a separate issue.

    • Re:Damned MS... (Score:3, Insightful)

      by gilgongo (57446) on Wednesday July 23, 2008 @06:06PM (#24311747) Homepage Journal

      "How in the freaking hell is a single sign on going to make it better?"

      OpenID recognises two things:

      1. The fact that the vast majority of people use (or try to use) the same password for every system they have. For the systems they can't use their preferred password for, they write the password on a sticky note, and put it on their monitor.

      2. The fact that most people have a handful of important accounts (banking, mainly), and then a long tail of fairly trivial stuff. Somebody might cause you a lot of embarrassment if they got control of your Facebook account, but it's pretty easy to recover. Cases of insidious and subtle compromises leading to significant damage are in fact very rare.

      In my view, OpenID is the intelligent solution to the long tail of personal security issues we see today. It is not a solution for high-security, but then high security is needed in only a small fraction of web use. What's stupid is perpetuating a multiplicity of accounts using the same password.

      Incidentally, MS won't support OpenID because they have Passport. It's a corporate pride thing and has nothing to do with the quality, or otherwise, of OpenID.

  • by MrCawfee (13910) <mrcawfee@ya[ ].com ['hoo' in gap]> on Wednesday July 23, 2008 @10:47AM (#24304395) Homepage

    I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.

  • by SpecialAgentXXX (623692) on Wednesday July 23, 2008 @10:50AM (#24304451)
    Is having 1 global ID really wise? It sounds like a single point of failure to me. And do you really want the same ID across all sites? i.e. Do you want to be able to be tracked across multiple sites, especially those that cater to different audiences? And with social engineering, if you divulge your personal info to a phisher for one site, he would then be able to use it for all other sites.

    Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
    • by Lincolnshire Poacher (1205798) on Wednesday July 23, 2008 @11:17AM (#24304931)

      > Is having 1 global ID really wise?

      Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.

      I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.

      For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.

      Web users today are much more phishing-savvy and rely on password safe applications to manage their accounts. This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.

      • For a Web world, compartmentalisation of sign-on is vital.

        Only up to a point.

        I have 128 logins that I keep. I know that because don't remember any of them, I have a file full of them. When I use Yet Another Website, I'm really tired of making Yet Another Login.

        If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.

        If you think that using openId from Site A to log into site B gives site B ways to continue having dealing with you against your wishes, then can you outline how that can happen? How many internbet users have "e-mail aliases" to throw away.

        This seems like a last gasp from OpenID to convince someone, anyone, of the relevance of SSO.

        I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?

        • > I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?

          I looked-over the list on openiddirectory.com; 634 participating sites. That's greater than zero, admittedly. Just about.

          The story of SSO in e-commerce is brief and inglorious. ebay dropped Passport support in January 2005; Amazon never got onboard; Google established its own intra-domain federation; Yahoo announced OpenID support, then fell silent. Those are the sites that people use.

          SSO has flopped on the web, thankfully.

  • by ukyoCE (106879) on Wednesday July 23, 2008 @10:54AM (#24304509) Journal

    The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

    Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.

    So maybe it's still an improvement, but it should be considered as a very serious concern.

    • by Cajun Hell (725246) on Wednesday July 23, 2008 @12:31PM (#24306319) Homepage Journal

      The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.

      But at least OpenID puts the matter into your hands (if you so desire). If you recycle usernames and passwords (as many people do) then a compromise of any site (and these sites are beyond your control; a third party merely needs to make a mistake, and that happens all the time) and your credentials are compromised and can be used to take your identity on other sites.

      With OpenID, if you run your own provider, then a third party cannot compromise you. MySpace could open their whole database up to the public, and the risk to you is nothing.

      This is empowering. OpenID doesn't add or remove a risk, so much as it shifts risk. And one of the directions you can shift it (which isn't an option under the non-OpenID system) is to you. Slashdotters (i.e. people supposedly more competent than average at keeping their systems secure) should be ecstatic about this.

  • by FunkyELF (609131) on Wednesday July 23, 2008 @11:07AM (#24304715)
    Great...have one ID for everything, then they'll just have to steal it once.
    Although, most idiots today use the same username and password for everything anyway.
  • Username Squatters? (Score:2, Interesting)

    by HockeyPuck (141947) on Wednesday July 23, 2008 @11:11AM (#24304803)

    I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.

    We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.

  • by getuid() (1305889) on Wednesday July 23, 2008 @11:13AM (#24304855) Homepage

    ...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.

    Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.

    Even if you don't have your real name anywhere: you're still leaving a waaaay longer trail on the 'net than you're doing with a purpose-limited account. Anyone with a clue (and a sane cookie system, like Google) will sooner or later relate pretty much everything you do on the 'net to exactly *your* person. If you're really careful, then you *might* be able to keep those two words making up your name out of the game. But that's about the *only* thing that's not going to be known about your person...

    Either that, or you'll keep creating 2, 3, or even more OpenID accounts -- one for each level of "privacy" you wish to enjoy. But then again, the need of having several OpenID accounts kinda kills the point of centralizing account management...

    Privacy is not a matter of the information itself, it's a matter of how information is linked together (and/or to your person :-)

  • by floateyedumpi (187299) on Wednesday July 23, 2008 @11:17AM (#24304923)

    All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.

    With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.

  • by bsDaemon (87307) on Wednesday July 23, 2008 @11:19AM (#24304959)

    single point of failure!!

    I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.

    To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.

  • by GrumblyStuff (870046) on Wednesday July 23, 2008 @11:40AM (#24305347)

    GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.

    You do NOT give OpenID all your passwords and logins.

    It's not turning all those accounts over to a third-party and them giving you a single login and password.

    It's using ONE account at MANY other sites in a limited form.

    Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.

    This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.

    THAT'S IT.

    I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.

    OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

    Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

    I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)

    • by brunascle (994197) * on Wednesday July 23, 2008 @12:04PM (#24305781)

      OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

      Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.

      That's not entirely true. It might've been the goal of OpenID to eliminate the need to have different accounts on different sites, but in reality it only eliminates the need to remember different usernames and passwords. Relying parties could still require you to fill out a form to sign up the first time you log in with your OpenID. There's a chance you'll need to choose a username, and maybe even a password. The only difference is you wont have to remember them.

      • by GrumblyStuff (870046) on Wednesday July 23, 2008 @12:48PM (#24306667)

        Relying parties could still require you to fill out a form to sign up the first time you log in with your OpenID. There's a chance you'll need to choose a username, and maybe even a password.

        Then there'd be no difference between OpenID and just signing up and checking that box that says "Remember this password" in which case, HEY, they just made themselves entirely redundant. That or at least such a nuisance people will settle with posting anomynously or simply making an account there.

        In either case, I fail to see what's so horrible about "it only eliminates the need to remember different usernames and passwords." I mean, everyone else had ample thoughts of forking over their account information to get a single login and password to use at all of those same sites. OpenID doesn't remember them either. You have to authenticate your original account at the original site unless they got one of those checkbox to keep you logged in (still requires being logged in at the original account, too, though).

  • by niteice (793961) <icefragment@gmail.com> on Wednesday July 23, 2008 @12:05PM (#24305797) Journal
    With all the talk of running one's own OpenID provider, why not run it on your own machine behind a DynDNS [dyndns.org] or similar provider and use PAM to authenticate against /etc/shadow?
  • Public keys ? (Score:3, Insightful)

    by smoker2 (750216) on Wednesday July 23, 2008 @12:06PM (#24305823) Homepage Journal
    Why can't we have a system based on our own public keys ? You could upload your public key to whatever site you wanted, without needing to transmit a password at all, ever.
    Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
    Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
    Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
    Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.

    Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
  • Now I only have one username and password to hack and your world is mine

  • by Matt Perry (793115) <perry.matt54@yaho o . com> on Wednesday July 23, 2008 @01:54PM (#24307915)

    a group that seeks to allow users to create a single account/password set to be used on a number of services.

    This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.

    • by RPoet (20693) on Wednesday July 23, 2008 @01:57PM (#24307985) Journal

      OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).

      • by Matt Perry (793115) <perry.matt54@yaho o . com> on Wednesday July 23, 2008 @02:27PM (#24308547)

        OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).

        There are already better tools that work with all sites for remembering passwords. Firefox is but one example. It can remember logins and passwords for any site and protect the password list using strong encryption. To use OpenID with any confidence, one must trust an OpenID provider. You can run your own OpenID service but then you have another service to administer and maintain. I still don't see what advantage this solution has over existing solutions.

  • by pseudorand (603231) on Wednesday July 23, 2008 @02:11PM (#24308243)
    According to this [efluxmedia.com] article, Microsoft claims 400 Million Passport/Windows Live users worldwide. How is it that OpenID is becoming the defacto standard again?
  • by starwed (735423) on Wednesday July 23, 2008 @02:24PM (#24308487)
    One thing that really needs to happen is for forums to accept OpenID. Given that there a small number of software packages seem to run the majority of forums out there, it seems like this sort of change could happen quickly... but to my knowledge, hasn't so far.

"Laugh while you can, monkey-boy." -- Dr. Emilio Lizardo

Working...