OpenID Foundation Embraced by Big Players

An anonymous reader writes "The OpenID Foundation has announced that Google, IBM, Microsoft, VeriSign and Yahoo! have all joined its board. It's exciting to see OpenID being embraced by such large players, but its also a concern that such big corporates are now directly influencing the fledgeling foundation. 'Today there are over a quarter of a billion OpenIDs and well over 10,000 websites to accept them. OpenID has grown to be implemented by major open source projects such as Drupal, cornerstone Web 2.0 services such as those by 37signals and Six Apart, as well as a mix of large companies including as Apple, Google, and Yahoo!. Today is about truly recognizing the accomplishments of the entire OpenID community which has certainly grown beyond the small grassroots community where it started in late 2005.'"

A quarter _BILLION_?

[Brian Gordon]

Not only do I not have an OpenID, I've never even seen an OpenId login! Until it really starts getting around, I seriously doubt the quarter billion number.

Re:

[mrxak]

Yeah, this is the first I've heard of it too. I just don't understand how one ID everywhere is a good thing on the internet.

Re:

[GuyWithLag]

Ah, it's not *one* ID everywhere. It's just one id for all low-impact sites (blog comments, simple sites that you need to register etc).

Re:A quarter _BILLION_?

[smittyoneeach]

<sarcasm> Oh, well, if it's designed to solve a specific problem with well-thought out requirements, then it must be totally limited, b0rken, teh sux0rz, and it will never work.
It has to have universal acceptance, be all things to all people, completely simple and yet so secure that Schneier worships it, or it will get no traction in the market. </sarcasm>

Re:A quarter _BILLION_?

[severoon]

I have to say I'm shocked there are so many people piling on this anti-identity bandwagon. Don't you people understand that the purpose of OpenID is to allow you, the user, to control your own identity and the information companies are allowed to collect about you? (As opposed to right now, where sites ask you to sign up and provide X info to create an account and you either provide it or don't get on?)

Identity management allows you to control your Internet presence in one single place, and acts as a single gateway for you to allow or disallow sites to know about you and collect information about you. This is a good thing people. It's secure. It promotes security...real security. It also promotes anonymity when you want it. Unlike Facebook where you add 50 apps and leave all the boxes checked and then have to page through one app by one once you understand the impact of those boxes...

Don't knock something till you understand it. Someday the intarwebz will be open id powered.

Re:

[urcreepyneighbor]

Like most figures from the tech industry, this one is bullshit. They are probably including Yahoo! and Google IDs (or something like that), even tho 95% of Yahoo!'s and Google's users have never even heard of OpenID.

Remember, kids: if it sounds like bullshit, it probably is. :)

Re:A quarter _BILLION_?

[ceejayoz]

Yahoo! and AIM logins are OpenID logins, whether the users are aware of it or not.

The number is accurate. The assumptions you're making about the meaning of the number are not.

Re:

[HTH NE1]

According to the OpenID site [openid.net] it uses a URI [wikipedia.org], which includes "mailto:" URIs.

For AOL IDs, its "openid.aol.com/screenname".

Re:A quarter _BILLION_?

[Bogtha]

Are you sure you don't have an OpenID? If you have a LiveJournal, you have an OpenID [livejournal.com]. If you have a Yahoo! account, you have an OpenID [yahoo.net]. If you have an AOL account, you have an OpenID [aol.com].

Re:

[Brian Gordon]

mm, yeah none of those

Re:

[Sax Maniac]

Great, I now have 3 different OpenIDs... and no place to use them!

Re:

[krbvroc1]

This is probably some lame marketing hype that implies that since they use a 30 bit number they have a billion id's. Probably 1,073,741,824 to be exact.

Ive heard of but never seen openid used on any sites I have visited.

Re:

[krbvroc1]

Oops I hit the submit too quick: I should have said 28 bits values, 268,435,456 id's. You get the point though.

Re:

[owlnation]

This is probably some lame marketing hype that implies that since they use a 30 bit number they have a billion id's. Probably 1,073,741,824 to be exact.

Yep. And the other poster is also quite correct. Numbers like this quoted by tech companies are meaningless raised to the power of meaningless. We've all seen eBay, Myspace, Facebook, etc boast about number of users using stats like these.

At best they are counting the number of times someone's registered, and since many people register more than one acc

Well...

[samael]

Everyone with a Yahoo ID has one. Everyone on Livejournal has one. Everyone on AOL has one.

So that's a fairly large number of people.

Re:

[Tony Hoyle]

So anyone with a yahoo ID can log into AOL?

Doubt it.

Re:

[FesterDaFelcher]

Why would having an OpenID with one service allow you to log into another service, regardless of rights? Please think before posting.

Re:

[Tony Hoyle]

Thank you for making precisely my point.

Both AOL and Yahoo *already* have perfectly functional login systems.

OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users. So their alleged use of openID is completely, utterly and totally pointless. They've gained nothing, the end users have gained nothing.. but it makes for neat headlines.

Re:

[FesterDaFelcher]

They've gained nothing, the end users have gained nothing

Users HAVE gained something. From the openID website: "With OpenID you can easily transform one of these existing URIs into an account which can be used at sites which support OpenID logins." Key word here is CAN. It doesn't mean that once you have an openID you immediately have access to any site that uses openID. There are still permission structures.

Thank you for making precisely my point.

If you wanted to make the point that AOL and Yahoo d

Re:

[Tony Hoyle]

But that *is* the point.

One identity across the internet is the goal.

It's am impossible goal because nobody wants to share their user information with anyone else. That information is worth money, not to mention the privacy (and, in some countries, legal) implications.

Therefore openid just becomes a different way for Yahoo to store its usernames, and a different way for AOL to store its usernames. That may have value in itself.. but it isn't the holy grail some at slashdot seem to think it is, and not aff

Re:Well...

[Jobe_br]

No, listen. You're wrong. This has nothing to do with sharing users, it has everything to do with YOU not having to create YET ANOTHER LOGIN. OpenID is about YOU not about the companies implementing it sharing users.

This isn't a trivial thing to understand and I encourage you to read up on OpenID.

Here's, in a nutshell, what it means. You have a Yahoo! or AOL account (so, you have a login & password, that you can remember). When you want to start using a product at 37signals, like basecamp or highrise, or whatever - you can CHOOSE to use your OpenID. You still have to sign up with 37signals, you still have to PAY 37signals, but you don't get another login & password.

When you provide your OpenID to 37signals, the APIs they use will ask your OpenID provider (e.g. Yahoo! or AOL) if you're authorized, your OpenID provider will ask YOU if you want to authorize 37signals, and you'll say YES.

That's it. Trust is setup, you've been in control the whole time, and now you can access your 37signals account without ever having created a new username & password.

It really, really is powerful. And it really, really is not trivial or necessarily easy to understand. But it works, and folks are getting on board with it.

Cheers,
[/rant]

Re:

[FesterDaFelcher]

Good summary. I think OpenID would do well to produce a well made flash video describing the situation, with creating an OpenID, signing up at multiple sites. Describe what data is shared (none), and what the benefits are to the user. I've heard too many times, "I don't want all of these websites to have my private information." That's not at all how it works. Private info would still need to be entered at each site, but the overall login would be the same.

Re:

[Bogtha]

OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users.

According to the AOL developers' blog, they are actively working on making their products accept OpenID [aol.com], and even if they weren't, just because AOL wants a walled garden, it doesn't mean nobody else can become a relying party. There's plenty of utility in OpenID even if all the big players are only providers.

Re:

[Tony Hoyle]

Presumably all AOL websites already accept AOL IDs. Now they accept AOL OpenID IDs instead. Big woop.

Re:

[Bogtha]

Now they accept AOL OpenID IDs instead.

No, now all OpenID relying parties accept AOL accounts. Please stop misrepresenting the situation.

Re:

[c_g_hills]

Unfortunately some sites treat OpenID users as second-class citizens, and sadly LiveJournal is a good example of this. A user who has an OpenID account on LiveJournal cannot:-

• keep their own journal
• join a community
• comment on posts that have restricted comments to LiveJournal users

I hope that they will change this policy in future.

Re:

[Tacvek]

keep their own journal

I don't think that's too much of a problem - if you're using a site enough to be doing something like keeping your own journal, it's not too much hassle to get an account. It is hassle to get an account just to make a single comment, which is the major hurdle OpenID overcomes.

join a community

I agree, this limitation seems a bit strange, especially as they allow OpenID users to keep friends lists.

comment on posts that have restricted comments to LiveJournal users

Although that's a choice that's up to the journal owner. They had to have that really, as originally there was the option to disallow anonymous comments, but for backwards compatibility, I think OpenID would have to fall into the same category. But it would be nice to have an option that says "Allow LiveJournal or OpenID comments, but not anonymous".

But setting up an OpenID server that automatically authenticates anybody who types in that url (does not attempt to verify identity) is trivial. Any such URL is then an anonymous OpenID. That more or less would defeat the point, would it not?

Re:

[Bogtha]

No, you are mixing up OpenID providers with OpenID relying parties. Yahoo and AOL are both OpenID providers, which means that if you have an account with them, then you have an OpenID. The sites you log into are OpenID relying parties, which means that if you have an OpenID you can log into them.

Yahoo and AOL don't have any services that are OpenID relying parties as far as I know (AOL say they are "actively working on it"). But you can use Yahoo and AOL OpenIDs to log into an OpenID relying party, f

Re:

[Tridus]

It is. Every account on Livejournal is also an OpenID account. It makes sense since the founder of LJ is also the founder of OpenID.

Secure?

[mrxak]

Is it really all that secure to have one username and password for every website you go to? I would imagine there'd be privacy concerns as well.

Re:Secure?

[Brian Gordon]

Very secure. Think about it- that means that every scummy admin on the internet doesn't have access to your password. You don't need a "junk websites that probably sell my username/password" tier, since authentication is handled by openid and not the scummy web server itself.

Re:

[mrxak]

Fine, but what happens once somebody does get your username and password, let's say a keylogger, or one of these fake banking sites designed to steal your password. Now they can get into everything. It's not like this is going to stop scummy admins. OpenID doesn't instantly become mandatory everywhere just because a few new companies endorsed it. All this means is that when your OpenID gets stolen, you're even more screwed.

Re:

[swimmar132]

How could a fake banking site possibly get your openid password? You only give your openid password to one site, the openid provider.

You can also see who is using your openid, when they are logging in to sites, the IP addresses of people using your openid, etc.

Re:

[STrinity]

How could a fake banking site possibly get your openid password? You only give your openid password to one site, the openid provider.

Well banks aren't likely to use OpenID anyway. But the sort of person who falls for phishing sites is the type who uses the same password everywhere, so if the phisher gets the guys bank password, he could turn around and try it on OpenID.

Re:

[cybereal]

It's trivial. It is the same as every other fishing attack. When you login with your OpenID it will forward you to your OpenID provider's page to login. The phishing attack simply forwards you to their OWN OpenID page. They only need to mock up a few common provider pages (AOL, Yahoo?) and that's enough for a phishing scam.

That said, some of the nicer OpenID providers fight against this. Some offer useless features like showing you a picture you selectd out of a huge group of 7 or 8 choices :P but some

Re:

[swimmar132]

That's why the good openid providers have a security image that you choose (and supposedly look for).

Look at how Yahoo does it.

Re:

[Tony Hoyle]

I logged into yahoo just now to check. No security image. That site is extremely fakeable.

And what about the yahoo IM clients? A rogue one of those could steal your password easily.

One centralised password is a *bad* *bad* idea.

Re:

[swimmar132]

The openid yahoo site, not the regular yahoo site, silly.

Re:

[Tony Hoyle]

Either yahoo are using openid as claimed above, or they're not.

You aren't trying to suggest they're actively maintaining two different username/password databases for the same system? That's beyond insane.

Re:

[Brian Gordon]

Not so insane.. who cares how they do it on the backend, as long as they share accounts instead of separate ones?

Re:

[Tony Hoyle]

If they're using the same account all the claimed security just vanished - anyone who has my yahoo username and password (phishing attack, keylogger, whatever) also has my openid account. Yahoo aint that secure.. it shouldn't need to be, it's not a bank.

If they're using different accounts they just doubled the complexity of their authentication systems simply for the coolness factor (plus the claim that yahoo accounts are openid accounts is bogus).

Re:

[Randle_Revar]

My yahoo login has a security image...

Re:Secure?

[Bogtha]

Fine, but what happens once somebody does get your username and password, let's say a keylogger, or one of these fake banking sites designed to steal your password. Now they can get into everything.

For practically everybody, this is already the case. At present, the username and password they need to crack are for your email account. Then they can access all your other accounts by extension via their forgotten password features.

So the downside of OpenID is a downside that is already present. Something to think about, for sure, but hardly a deal-breaker that should prevent adoption.

Re:

[esocid]

since authentication is handled by openid and not the scummy web server itself.

But what implications would it have for your account at any of those sites if your OpenID account is compromised or you password is cracked? I'm not too familiar with OpenID but it seems like an accident waiting to happen to me, but again I'm sure the security or protocol involved with all of this. I would rather have multiple accounts with different passwords, but I'm aware that some people use the same pass for all logins.

Re:

[a_n_d_e_r_s]

Nothing prevents you from having several OpenID with different passwords. You can create a OpenID and password for each site you visit.

Re:

[owlnation]

You can create a OpenID and password for each site you visit.

Sure. Of course. Um... remind me why I need an OpenID again?

Re:Secure?

[Chyeld]

The way OpenID works (the "for dummies" version) is you go to a service which supports it and tell them "I'm Joe Joe from joejoe.com". The service then goes to joejoe.com and checks for the information there that would tell the service who to contact to verify you. It could be at joejoe.com itself, it could be openid.randomguy.com. It doesn't matter.

After the service knows who is allowed to verify that you are Joe Joe from joejoe.com, it asks them to do it. How they do it is entirely up to them. They could use a password/username. They could use a 32 point authenticaion scheme that at some point requires your mom to log in and ask you questions. It doesn't matter.

Once they've verifed you are Joe Joe, from joejoe.com, they tell the service that. Now, if the service considers itself 'high security' they can always do some extra checking before it logs you in fully (and some do). But if it's 'just Slashdot' then that's all that needs to happen.

So, someone hack your account with the group verifying you? Change authentication methods.

If you are implementing your side of OpenID correctly (and no it's not a given that you are) you have control over who verifys you as you and simply need to setup a different group to do the verification. YOU are in control of that. Unlike things like MS Passport, where you have to trust Microsoft not to foul up.

Of the single login setups I've seen OpenID is the best implementation I've run into. Yes, single sign on is inheritantly less secure than multiple sign ons, ASSUMING the authentication layer is equivalent across the board.

BUT, and this is the catch, YOU pick the level of authentication with OpenID. You get to decide how secure is secure, if you think it's ok to just go with a username/password. Then that's your choice and you can do that. But if you would prefer to go 'Fort Knox', it's entirely possible for you to do so, because you get to choose who does the authentication and therefore what authentication is being done.

Re:Secure?

[dustman]

Also, there is one 'higher class' authentication layer implemented already, mentioned on episode 107 of security now podcast http://www.grc.com/securitynow.htm [grc.com] :

Verisign has an OpenID implementation, https://pip.verisignlabs.com/ [verisignlabs.com], with a plugin for firefox that makes it easy to manage signing into sites.

Verisign's implementation is already behind the paypal and ebay security fobs, and if you get a pip account, you can buy one and use it for secure authentication everywhere. They cost $30 from verisign, but only $5 from paypal: http://paypal.com/securitykey [paypal.com]

Re:

[Tony Hoyle]

There's me thinking I'd be able to get a cheap security key to play with:

"The Security Key is currently not available. Please try again later."

Not inspiring if your source of login goes down randomly...

Re:

[Aram Fingal]

BUT, and this is the catch, YOU pick the level of authentication with OpenID. You get to decide how secure is secure, if you think it's ok to just go with a username/password. Then that's your choice and you can do that. But if you would prefer to go 'Fort Knox', it's entirely possible for you to do so, because you get to choose who does the authentication and therefore what authentication is being done.

Or I suppose that you could have two or three OpenID accounts at different levels of security. Use th

Re:

[192939495969798999]

The problem with a single user/password storage is you then have a single user/password. If that openID gets hacked, then everyone will have access to everything... not good. At least if one non-openid account gets hacked, only that account is affected.

Re:Secure?

[Bogtha]

Is it really all that secure to have one username and password for every website you go to?

This isn't about having one password. This is about having one account. There's ample opportunity for improved security without the need for passwords. Have your OpenID provider authenticate you via an SSL cert on your USB flash drive if you want, or even via fingerprint recognition, you or your provider can implement whatever level of security you need and there's no need for the relying parties to mess about with their authentication system to accommodate you, it all just works automatically with any OpenID-capable website or web application because it's the OpenID provider doing the authentication, not the websites or web applications themselves.

Websites and web applications are relatively limited in what they can offer in terms of authentication options. OpenID allows people to experiment with alternative authentication schemes without having to drag websites and web applications along with them.

Re:

[Hal The Computer]

https://certifi.ca/ [certifi.ca] actually offers a free provider that works with any SSL certificate. As you point out, this makes phishing almost impossible. You need a certificate from somewhere else, but there is a list of certificate providers on that site, some of which are free. There is one other provider I know of that offers this, but I couldn't get their service to work.

Support on Slashdot?

[ObsessiveMathsFreak]

But the big questions on everyones lips are: "Will Slashdot support OpenID?", and "Is Anonymous Coward already taken?".

Re:

[Tony Hoyle]

Oh god I hope not. I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database. If slashdot did it.. I hope we'd get a proper opt-out.

Re:Support on Slashdot?

[Bogtha]

I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database.

There's no "OpenID database", it's decentralised. If you use your Yahoo OpenID on a website, that website sends you to Yahoo, where you are authenticated against the same Yahoo database that you've always had your account details in. When Yahoo decides you are who you say you are, they send you back to the original website. Your username and password haven't gone anywhere.

Re:

[Tony Hoyle]

There is, even if yahoo keep it to themselves they need to put it in that system.

As far as putting my yahoo details into a *different* site. Not gonna happen. A site either has its own unique logon or I close the browser.

Re:

[Bogtha]

There is, even if yahoo keep it to themselves they need to put it in that system.

What are you talking about? What system are they putting it into? The OpenID authentication on Yahoo's servers can just query the existing database that already holds your username and password.

As far as putting my yahoo details into a *different* site. Not gonna happen.

You don't put your username and password into a different site. The only thing you put into the other site is your OpenID, which is something

Re:

[swimmar132]

Dude, you really don't understand how openid works. Sorry.

I'd explain it better, but I have work to do. But please do read up some more on it.

How openID works

[Hal The Computer]

You don't understand how openID works. There is no central database, if you try to login to site.example.org, you give it your username, it redirects you to your provider's website (e.g. openid.yahoo.com), where you authenticate. The provider then sends you back to the original website. Your password is safe as long as you don't fall for a phishing attempt and as long as your provider (yahoo) doesn't screw up.

A more detailed explanation is available. [wordpress.com]

Re:

[Tony Hoyle]

"as long as you don't fall for a phishing attempt"

That's a big if. People fall for them every day.. now you're saying that they should be encouraged to have the same password for multiple sites *and* expect any site they access to redirect somewhere else to enter your details, that looks a bit like the yahoo/aol page.

Re:

[Hal The Computer]

Which is completely irrelevant to your original point. You don't need to opt out of openID, just don't use it if you don't want to.

There are many good ways to fix the problems with passwords. A shared secret (e.g. an image or a sentence) that your provider only shows to you (several banks do this, I'm not aware of an openID provider which does).

Or you can remove the password entirely. There are providers that use client-side SSL certs (my choice), one time passwords or "click on the correct picture(s)" in o

Re:

[Goaway]

There is no "the OpenID database". They have put your username and password nowhere bu their own database where they have always been.

Re:

[hayesp25]

For a web site that is supposed to be geared towards technically capable people, there are some stupid, stupid posts here. There is no "openid database". Get a clue. Single-sign on is infinitely more secure than username / password splattered across the web. If your account gets compromised, you only have to lock down a single location. You can get a review of all authentication activity across all websites that you use. I don't understand how anyone can think this is not a good idea.

Licensing

[parcel]

As Brad Fitzpatrick (the father of OpenID) said, "Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community."

(from http://openid.net/what [openid.net] , emphasis mine)

I'm no expert on such things, but wouldn't you want an extremely restrictive license, to prevent providers from "improving" the concept and breaking interoperability? Or having the more "trusted" providers begin charging for the service? Although I suppose this depends on Fitzpatrick's definition of liberal.

if you "improve" the standard

[circletimessquare]

in such a way that you break interoperability, you've effectively negated the value of your "improvements"

maintaining interoperability is not something that has to be an active policy matter. it maintains itself out of inertia. the network effect

no one wants to use a standard which means you have broken contact with the vast majority of users

Re:

[jfengel]

Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing. You get to choose any authenticator you want, and you can decide how hard you want to work on protecting your identity as it relates to any particular web site.

I use Livejournal for my openID, which is fine, but I don't necessarily trust them. They're not professional security providers, and they have a lot of other things to do. So I wouldn't use my LJ authentication when there was money on the line,

Re:

[Tony Hoyle]

Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing.

Now I have to pay someone? It's looking like the verisign monopoly all over again.. Pay them $500 a year and if you can't pay them next year lose your identity, just like the way SSL works at the moment.

OpenID has no issues with this???

Re:

[Bogtha]

No. You misunderstand. Again. If you aren't trolling, please just go and read an OpenID tutorial or something before posting more silly comments.

Some OpenID providers will only offer the bog-standard username and password authentication. Some OpenID providers will offer better security, for instance via client-side SSL certificates, swipe cards, etc. The people who want this extra security now have the option of going to a premium OpenID provider as opposed to a typical OpenID provider, and all the

Re:

[Randle_Revar]

I use myopenid.com as my openid provider. However, my openid is http://www.clowersnet.net/~krc/ [clowersnet.net]. If myopenid.com does something I don't like, I create an account with a different provider and change two lines in my website to point to my new provider. My new provider could even be my own server. Everything else keeps working as it did before - the openid consumers I have logged into don't even know that anything changed.

You know, instead of throwing out random arguments, and letting everyone else shoot them

Thanks Instatrace!

[Itninja]

And We've just had a very generous donation of $10, 000 but the caller didn't leave his name, but thanks to Instatrace we now know that it is Homer Simpson of 741 Evergreen Terrace. Oh, why did I register with Instatrace?

Op out

[esocid]

If there is a broad implementation across these sites would there be an opt out option for those who do not have an OpenID or would I actually be forced to gain one in order to go about my business? This sounds like the REALID of the intarwebs to me.

Re:

[DaftShadow]

I thought that too at first, and then I "got" it: Right now, every website I go to, I create a new account. New account, new password, new entry in my passmanager. I usually use the same login name/user name, for simplicity's sake. You probably do this also.

Now, I can use OpenID to stop dealing with my passmanager! I can get the same login name everywhere. If I want the simple route, I simply use diggity.myopenid.com. If I want the advanced "I control it all" route, then I can host it myself using

Re:

[esocid]

Thanks, that does clear things up a bit. I didn't realize how far down the rabbit hole the complexity of this actually goes. I didn't know either that you can host all your identities rather than giving it to a third party to handle, I was under the impression that it was just another 3rd party that controlled it all. After looking into it more and more it does look like a good alternative to current systems. I'll definitely check out the phpMYID and see which method I like.

More Info Here

[mpapet]

http://www.plaxo.com/api/openid_recipe [plaxo.com]

As someone that used to work for a company that developed strong authentication systems, I can tell you that big-business has been having some kind of orgasm about this for quite a while now.

The typical big-dreamer sees "identity" as a problem of too many logins/passwords. Yahoo and IBM have different customers, but similar goals simplifying authentication/identity for their customers. As usual, Microsoft is conspicuously absent because they think they've got the proprietary solution already.

Re:

[qw0ntum]

Um... it seems that Microsoft is on board, actually, according to the article.

Though I do admit that it is a bit surprising. :)

Kind of funny with

[ericrost]

the story two up.

Isn't this a single point of failure to steal your entire online identity (which in my particular case might be just as bad as stealing my offline identity)?

How is this a good idea. One signin that (if I implemented this on my local machines) would allow access to not only my VPN, mailserver, web server, but also my bank account, mortgage, and any other personal details that are stored in any publically accessible server?

Seems like a bad idea to me, and I'm a F/LOSS advocate. I just like di

Re:

[swimmar132]

then create multiple openids? one for each category of safety that you need?

i.e. one for facebook/myspace/blogging/flickr/etc, and another for banking information.

Re:

[Tony Hoyle]

If you're going to do that WTF is the point of openid?

Re:

[ericrost]

Well, I see the point that you could manage facebook/myspace/livejournal/yahoo.... with one openID, still a reduction there, then your cc's/bank/mortgage... with another. This is why I ask these questions. Use it for reduction in uneccessary duplication, but leave duplication where necessary. Thanks GP for the reply! :)

Re:

[Tony Hoyle]

A lot of people do that anyway for low priority accounts.. so you don't really gain.

There's no way my bank, cc, etc. details would be on openID - I trust my bank and my bank alone with those details.

Re:

[ericrost]

And have you done a security audit of your bank (and your bank alone) to determine if they are handling those details correctly? What would your recourse be if your bank lost or had those details stolen?

I'd trust a general purpose security organization to be:

1. More transparently and honestly audited on a regular basis.
2. More accountable in case of loss.
3. More careful in general about it since its their core competency.

Re:

[Xtifr]

Creating a handful of accounts based on roles is still a big win over creating a separate account for each and every service you might need. Having five accounts is more trouble than one, but a lot less than having fifty. So, basically, you can dial up the level of consolidation/complication you need.

A lot of people like to keep their work and personal lives separate, so, at a bare minimum, a lot of people will want at least two sign-ons.

Re:

[Goaway]

Isn't this a single point of failure to steal your entire online identity No.

How is this a good idea. One signin that (if I implemented this on my local machines) would allow access to not only my VPN, mailserver, web server, but also my bank account, mortgage, and any other personal details that are stored in any publically accessible server?

That is a very bad idea, which is why OpenID is none of that.

Re:

[Tony Hoyle]

Explain why it's 'none' of that.

Sure, nobody with intelligence higher than a rabbit would implement it on something secure like a VPN, and banks have much better systems in place already.. but he was only giving examples. The amount of damage someone could do just posting on websites or blogs under your name is huge.. carreer ending, even.

Re:

[ericrost]

Heck the amount of damage !I! do to my online identity posting as myself is huge, I would hate to think what someone else would be able to do... wait, maybe I should let others post as me, it could do my career some good /sarcasm.

Re:

[CodeShark]

I think you miss the point of an OpenID in active use.

Basically what the framework does is to let me -- by my choice of OpenID providers (or if I become one) to basically have a trusted source that basically says "the person using this account has been authenticated by OpenID provider XYZ. I don't have my provider set up (via the PHP implementation) yet, but when it is operational, what I can do is connect to other OpenID enabled sites that accept provider URLs (the relying parties) and never type a plai

When will the big players accept other's OpenIDs?

[harlows_monkeys]

I've got at least two or three OpenIDs now. One I paid for (actually an i-name, but those work as OpenIDs in OpenID 2), and one for free from AOL because I have an AIM account. Yahoo will give me one because I have a Yahoo account.

OK, that's nice. But how do I get Yahoo to accept my i-name or my AIM OpenID? On Yahoo's OpenID setup page, I only see options for creating my Yahoo OpenID.

I'm not going to count the big players as embracing OpenID until I can tie any one of my existing OpenIDs to my account.

Re:

[Tony Hoyle]

Any security system that can't handle someone looking at the code only has the illusion of security and should be junked - ssh has had people looking at it for years and is still considered secure. So has kerberos.. so much so that Microsoft used it as the base for active directory.

You do know that pretty much every proprietary package out there goes out with a license that says the producer has *no* liability if it fails? The 'who to blame' argument is utterly bogus. You want things fixed, and fixed fas

Re:

[Xtifr]

In addition to the excellent rebuttal offered by Tony Hoyle, I have to point out this flawed logic here:

If its Open Source [...] if any retribution if said security is broken, who's accountable?

With 99% of all popular FLOSS, you can find out who's accountable by checking the public revision control, to see exactly who wrote those broken "80 lines of code." With proprietary code, you usually can't even find out what, exactly, is broken, let alone how and which lines of code are responsible. This makes FLOSS a Big Win for security apps.

In those rare cases where there isn't a public repository,

Re:

[Ilgaz]

Horah! Now the FBI can track me everywhere!

MS tried OpenID like service and failed miserably because industry giants like Sun, Novell (while they were real), IBM and every privacy organisation you can imagine have put their pressure against it.

Regarding FBI and if you are American citizen or any foreigner who made someone mad enough to get court order from American court, they don't need such "sci-fi" things like OpenID. Right papers presented to some lawyers is enough.

"In the event that SourceForge becomes aware that site security is compromised o

Re:

[Tony Hoyle]

The old MS Passport and OpenID are basically the same but instead of having one humungous database controlled by Microsoft, you have dozens of humungous databases controlled by Yahoo, AOL, Verisign, etc.

It has the same issues - each one is a point of failure that means if compromised your online identity is at risk. We do it with credit card transactions right now.. because banks have a vested interest in making sure transactions are secure - loss of confidence in online transactions would cost them milli

Re:

[benjymouse]

Talking about FUD, it seems you are the guilty one here. here is some facts for you: 1) Passport has nothing to do with CardSpace. 2) CardSpace does not rely on Active Directory. Totally false FUD. CardSpace (as implemented in IE) insists on using a seperate "desktop" to avoid potential spoofing when you decide which card to "hand over". The "cards" are NOT kept in AD. Plugins exists for FF as well. 3) CardSpace is a totally open protocol which - unlike OpenID - ensures your anonymity across websites. 4) C

Re:

[quantumplacet]

Yea, I was wondering if I was missing something there. I read the article and all the comments in the gp link, and basically I see Kim Cameron trying to explain what seem like some pretty reasonable security issues to some retard who keeps insisting that the current system is perfect because he knows how to read the address bar and certificate dialog....

Re:

[Tony Hoyle]

Wasn't just me then. I read comment #7 and wondered if the one he was on about had been deleted because it looked OK to me..

Re:

[Burz]

This is not about who stores identity info. Its about who controls the dominant authentication mechanism.

How 'nice' that Firefox can have Cardspace plugins added to it... too bad most will consider the lack of native Cardspace support a nuisance at best. This is a primary benefit that MS gets by moving important 'rituals' like Web logins out of the browser and into the OS (where they don't belong).

Most of the technical material I found at Microsoft dealt with Cardspace using AD via Passport and seems to be

Re:

[Goaway]

SHA1, of which rainbow tables have been available for some time.

Rainbow tables are not dependant on the specific hashing algorithms. They are a generic algorithm for breaking any hash.

Re:

[Tony Hoyle]

Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.

Re:

[flink]

Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.

I don't use Blogger, but when I went to their join page, it let me sign in with my Google account, so for new accounts anyway, it seems they are the same.

Also, as of January, Blogger is an OpenID provider [blogspot.com].

So Google has in effect already done it, you just have to go through the hassle of creating a Blogger blog u

Re:

[Randle_Revar]

Too late, I already have one, and I find it to be very useful.