MySpace Joins OpenID Coalition 272
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
Defeat the purpose? (Score:5, Insightful)
Re:Defeat the purpose? (Score:5, Insightful)
Re:Defeat the purpose? (Score:5, Interesting)
You are free to be your own OpenID provider (there is no guarantee that all consumers will accept your ID, but you could probably proxy an acceptable provider to your own endpoint).
For the vast majority of people, their email provider already has access to many of their logins, so it isn't necessarily a new issue.
Re:Defeat the purpose? (Score:5, Interesting)
It doesn't. And you aren't.
Implemented properly, OpenID works thusly:
You tell a site that you are "JimBob" of "random URL". The site goes to the random URL, which has listed (somewhere, there is more than one way to provide the information) a server that is authorized to authenticate that you are truely "JimBob" of "random URL".
The site then goes to the authentication server, passes control to it for you to authenticate, and waits to be told who you are. The authentication server does it's jig and passes back the results.
The idea is, if you decide to change authentication servers, or even roll your own, you have control over "random URL" and thus can change what server is being listed as the 'offical' authenticator for "JimBob" of "random URL".
This provides you ultimate control, and you aren't passing anything to anyone that you haven't choosen to trust.
The problem is, at least for me, is almost all of these big name companies are providers (i.e. authenticators) and not consumers. On top of it, I haven't had any luck on getting these providers setup as authenticators for anything other than their own domains. I.E. I can be JimBob at Yahoo.com, and JimBob at Blogger.com, and JimBob at Facebook.com, but I can't set any of them up to authenticate me as "JimBob" of "random URL". Which completely destroys any utility of their membership in this group.
Re:Defeat the purpose? (Score:4, Informative)
Actually no.
You do tell them you are "JimBob". More than one person may rely on "random URL" for their ID, similar to "JimBob" of Yahoo.com
You are not asserting that you have control over anything, if you do it properly then you should have control over "random URL" to the point where you can change who is providing the authentication, but it is not necessary for the schematic. Otherwise Yahoo et. al. would not be providers.
I suggest glancing over the specs for authentication:Version 2 [openid.net] or Version 1 [openid.net] for clarity.
Re: (Score:3, Interesting)
Especially with the "Seems like this is just..." toss off, your question is rather like asking what the difference is between a bus and a taxi. Yes they both move you places, but they both rely on slightly different ideas.
The existence and utility of one does not nullify either of these properties for the other.
PKI is a wonderful means of doing some things, but it doesn't address some of thing things OpenID does. Conversely, there are definitely places where using PKI would make far more sense than attempti
Re: (Score:2)
Yes, a 'nefarious' authentication server could in fact track the services that have requested it authenticate you. Which is why if you are concerned about your privacy you compartimentalize things by having one ID for 'public' facing accounts and one for "I'm Batman" accounts. And if you are really worried about it, use different servers to authenticate with.
The reason I dismiss this as a problem is I see the issue as a slider, with one side being the current situation (everything has it's own login) and th
Re: (Score:2)
authentication vs authorization...
Normally you'd only use openid for authentication (who are you) and there would be an additional password mechanism for authorization (do I have the right to be here).
Both could be combined with other methods, or you could create your own openid provider ...
You can also combine delegate your website to a provider of choice, and if they start sucking you can change to another provider without changing your credentials at the sites you frequent.
Re: (Score:2)
Re:Defeat the purpose? (Score:5, Insightful)
Re: (Score:2, Informative)
At least you can use OpenID to comment a blog on Blogger.
Setting up a WordPress with OpenID enabled is also very easy, by installing a plugin.
It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.
Re: (Score:3, Interesting)
It may be not looking good today, but as soon as they start seeing supporting OpenID as a mean of authentication means opening the business to potentially many more people, they will make a change someday.
Who is going to see that OpenID will "bring them more business"? It's something that so far as I can tell nobody wants.
-Matt
Re: (Score:3, Informative)
For anyone who's actually SEEN stallman, this is the funniest quote ever. For those who haven't, here [softpanorama.org]
Re: (Score:3, Informative)
You completely misunderstood the article and the concept of OpenID.
The first thing you missed was the first word of the sentence: Initially. Right now they're getting off the ground. Development and testing takes time. It is much much easier to be an OpenID provider than it is to be an OpenID consumer. Which brings me to the other point: The brief idea of how OpenID works.
OpenID works in a way similar to a friend of yours trusting some of your friends. One site which you already have login authentication fo
OpenID and Myspace help stalkers and hackers. (Score:2)
People always complain about internet hackers and cyberstalking, and cyberbullying, but Myspace was invented to assist the stalkers, bullies and hackers.
OpenID makes life even easier for hackers by centalizing the sensitive information even further. Now when you want to find your blackmail material, you can just search one ID and find all of it.
Re: (Score:2)
You either need to look up the definiation of monoculture or actually educate yourself on the underpinnings of OpenID. You obviously misunderstand one or the other.
Monoculture means everyone depends on the exact same thing. OpenID is not only the exact opposite, providing control over how you are authenticated to you, but it provides an almost immediate method of mitigating an attack. Someone take over your authentication server? Use a different one.
Re:Web Monoculture (Score:5, Insightful)
It's just a little different from that. Let's look at a couple of scenarios.
Scenario 1: You have accounts all over the place. You use different passwords for each of them. You have multi-factor authentication for several of them.
This is pretty secure, but of course, you have to remember your passwords. You may have to carry around several dongles. If a site is hacked and the password on it is recoverable, only that site is hacked. This scenario, however, is unrealistic for the masses.
Scenario 2: You have accounts all over the place. They all have the same password. You probably don't have multi-factor authentication on any of them, but who knows--maybe your WoW account really is that important to you.
This is horrible security. If a site is hacked, the attacker now has access to your entire web presence. You'll be forced to change your password in dozens of places, and you're almost certain to forget a few.
Scenario 3: You have a single sign-on provider (like OpenID). You have accounts all over the place, but only a single password, stored on a single server. If that server is hacked, the attacker has access to all of your accounts for the time period that it takes you to realize the issue and change your authenticator to a new host. You don't have to remember a password for each site you visit. The individual sites never have access to your password. You may use multi-factor authentication on your OpenID site to reduce the liklihood that a hack will give carte blanche access to all of your accounts, and you don't have to carry around a dozen dongles to provide "something you have."
Do you see how Scenario 3 is a compromise between the two? Do you realize that Scenario 2 is how most people use the web? Scenario 3 is better security than what most people use, while maintaining the convenience. If you don't like the idea of using OpenID, you aren't forced to. You can create a new OpenID for every website you wish to use. OpenID allows for better security in a realistic world (where people reuse passwords) when, currently, the only other option is password-management Hell.
Microsoft Support (Score:2)
I think it would be more likely that they would decide IE should actually follow internet standards before they hopped onto this.
Re: (Score:2, Insightful)
Re:Microsoft Support (Score:5, Insightful)
They do, Passpoor or maybe its Windows Livid, or something like that I think its called :-)
The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.
Re: (Score:2, Interesting)
The scary (and probably most likely) outcome is that MS embraces OpenID, adds a couple of you know, essential additions to it to support missing features that it absolutely requires for, say MSN Live Messenger, and then releases "OpenIDLive" which it touts as a completely standards-based* implementation of OpenID, just like it did with Kerberos.
Ohh for frack's sake get over the dang Kerberos thing. They put vendor specific information in !!OMG!! vendor specific fields. All of which was documented in RFC4757. However, if Microsoft supported it I would assume they would just become another provider and refuse to accept others credentials like Myspace.
Re: (Score:2)
They put vendor specific information in !!OMG!! vendor specific fields.
The problem is that the information they put into those fields is required by Windows clients and that it was undocumented.
All of which was documented in RFC4757.
Yes, after a lot of pressure (including EU anti-trust regulators) and after having killed off their competition. What are you trying to get at?
How many billions of dollars did Microsoft cheat people out of with this little trick? How many companies did they kill with this? Wh
Re: (Score:2)
If they broken Kerberos so badly, why the hell can I right my KRB5 install on Centos to point to my AD realm and have it work without any arcane settings or magic?
You can do that because Microsoft lets you and wants you to. Microsoft wants to prevent people from going the other direction, using Windows clients with UNIX servers. They do that by putting undocumented information into one of the extension fields and have Windows clients refuse to use servers that don't provide these extensions.
It's irreleva
Re: (Score:2)
MS has already tried this - and they put alot of money intto it too.. it isthe PassPort system.
MS still uses it for their stuff - but when they first started it - the idea was that your passport login would be accepted everywhere..
that didn't happen - and it wasn't going to happen.
it is what we call a "nice to have" but not a requirement to function - nor is it solving a issue which prevents things from happening.
yes the passport system didn't have the same focus on limiting info passed between sites - but
Re: (Score:2)
I could be wrong, but I thought that you could log into at least Amazon with a MS PassPort. I did have one when I was an MSDN subscriber and haven't used it in years, so this could have changed. Or I could have imagined it...
Re: (Score:2)
i think you could when they first started but i don't think anyone is still partering with them now
Blah Blah Blah... (Score:5, Insightful)
Re: (Score:2)
Yup..I agree. I looked into OpenID about a month back to see how it had progressed.
Question 1 was...which openId provider do I choose that I already had an account on.
Then after that was settled, I quickly realized that there were NO SITES THAT I USED THAT WOULD ACCEPT OPENID AUTHENTICATION!
Yea sure, they have a list of dinky sites that niche groups use, but for the most part (like 99.9%) it's worthless.
Mixed up Facebook and Myspace in TFS (Score:5, Insightful)
Reader gbjbaanb adds a link to the BBC's coverage and points out that Facebook's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use
No, I'm pretty sure he wrote in pointing that MySpace's 100 million users would nearly double the number of OpenID accounts.
Jesus fucking Christ, is proof-reading really that hard?
Re:Mixed up Facebook and Myspace in TFS (Score:5, Funny)
...pointing out that...
Wow, proof-reading really is that hard.
Re:Mixed up Facebook and Myspace in TFS (Score:5, Funny)
You just got bit by what's being called "Muphry's Law [upenn.edu]. Briefly, it says that any time you write a criticism of someone's spelling or grammar, what you write will inevitably contain a spelling or grammatical error.
The law has had other names, but people seem to like the idea of giving it a name that's a mispelling of the famous Murphy's Law.
(And note my two mispellings in this post. ;-)
Re: (Score:2)
Problem (Score:5, Interesting)
A problem inherent in a decentralized single signon system is that there are more and more providers popping up, and not all of them are trustworthy or taking the necessary security precautions to lockdown their sites. Caveat emptor, I guess, though. I run my own, and so I'm responsible for my own security.
Re: (Score:3, Interesting)
OpenID sounds good on paper, but in this day and age of identity theft, it does seem like a security boondoggle waiting to happen. Not only will a script kiddie have gained access to your Facebook account, but then your AIM and everywhere else at the same time you've signed up for.
Re: (Score:3)
I was thinking it would be nice to have a two-factor OpenID authentication provider, which might alleviate this, but only to a limited extent.
I gather Verisign already do this if you use them as your provider(!) with a SecurID-ish token.
I am my own OpenID provider, which scarily means that if my web hosting gets hacked, irrespective of what authentcation I use, the hacker can impersonate me. So as you say, it does make a very tempting target with a single point of failure.
Re: (Score:3, Interesting)
MyOpenID.com has two factor, and has had it for a while now.
But all this "single point of failure" stuff is crap, isn't it? Most people (probably not /. readers) have the same damn password for everything. If one of their accounts is cracked - how is that safer than OpenID? In fact, OpenID would probably be a lot safer if it was two factor in that scenario.
In short, OpenID is about the real world, which makes a refreshing change from the years and years of stupid "security" systems that end up forcing peopl
Re:Problem (Score:4, Insightful)
Personally, I keep a different password and login for every place I sign in that either (1) contains personal information about me, or (2) on which I transact financial business (like a bank account).
For social sites and blogs, I guess, this wouldn't be a big deal to me. But as soon as PayPal or EBay sign up, I start to get real unsure of this as a concept.
Re:Problem (Score:5, Informative)
Re:Problem (Score:4, Insightful)
I know MyOpenID support using client side SSL certificates for authentication, although in that situation your login really is only as secure as your workstation.
Re: (Score:2)
And in addition, don't do business with companies that have access to your 'valuable' information that don't get the difference between authentication and authorization.
OpenID is great for saying "I'm JimBob of JimBoblandia" and in reality, that's all most logins are used for.
But for places that are actually using it for access control, then you should be including a seperate layer to authorize the user in addition to authenticating them. If your bank lets you just walk into the nearest branch and close you
Insecure (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
by the time you cancel (and if you can, actually manage to cancel) your details in all those sites would have gone out into the wild already. its not a credit card. a credit card and its debts are still under bank's control regardless of its lost or not. your personal details are not as such.
Re: (Score:3, Interesting)
Damned MS... (Score:2, Insightful)
Seriously...with the internet being such a dangerous place for the average user. How in the freaking hell is a single sign on going to make it better? I mean really now this seems monumentally stupid. And worse the summary tries to blast MS for not supporting it. For all the many things to
Re: (Score:3, Interesting)
And worse the summary tries to blast MS for not supporting it. For all the many things to bitch about MS..."They won't sign on and support one of the dumbest security ideas on the internet" seems pretty counter to the normal complaints that they do stupid things when it comes to security.
You mean like Passport (or Windows Live ID) is a good idea?
At least OpenID is a standard, not an implementation so you are free to authenticate anyway you like, and run your own OpenID provider if you prefer.
Re: (Score:2)
SSO centralizes the risk, then you can decide how much to invest in that risk.
This is how the US military CAC system works, with smartcards issued to all personal and SSO for many services. Not all services are SSO enabled mind you, but their security needs are higher then most.
For OpenID, I use Verisign's PIP service with Firefox plugin to combat spoofing and hardware token for 2 factor auth, and I'm quite comfortable with the security. Unfortunately there's not too many places to use it, as everyone want
Re: (Score:3, Insightful)
"How in the freaking hell is a single sign on going to make it better?"
OpenID recognises two things:
1. The fact that the vast majority of people use (or try to use) the same password for every system they have. For the systems they can't use their preferred password for, they write the password on a sticky note, and put it on their monitor.
2. The fact that most people have a handful of important accounts (banking, mainly), and then a long tail of fairly trivial stuff. Somebody might cause you a lot of embar
Re: (Score:3, Insightful)
Re: (Score:2)
In the end you have to trust somebody. If you don't and keep all your money under your bed, be your own OpenID provider, like me ;)
Which is next to worthless if all the sites that claim to support openid are also only providers, and won't let you in. Which seems to be where things are headed.
Re: (Score:2)
LiveJournal is a consumer, so is WordPress, with a plugin. My blog has that plugin, as do the blogs wordpress hosts. I have a somewhat optimistic vision of OpenID empowering, not the big guys, but the little ones. I can use my personally hosted OpenID account to log into my friends blogs to comment, for example.
Re: (Score:2)
Holy shit! You mean, when I use OpenID I'm being tracked by my provider?
Oh wait, my provider is... me. phpMyID [siege.org] motherfucker, DO YOU GET IT?
Yay another Passport (Score:2, Funny)
I guess Microsoft's failure with Passport isn't going to deter MySpace from building a system that no one is going to use either.
Is 1 ID really wise? Single point of failure? (Score:4, Insightful)
Call me a bit concerned, but I have unique IDs & passwords across all sites (social networking, blogs, financial, political, etc.) There are free user ID/password management software so you don't have to memorize every ID and password.
Re: (Score:3, Interesting)
> Is having 1 global ID really wise?
Around five years ago there was a lot of buzz about federated Web identification. Passport, OpenID and Liberty Alliance date from that era.
I think this was leakage out of the corporate world, where single-sign-on makes sense for employees or vendors operating on a private network.
For a Web world, compartmentalisation of sign-on is vital. Not only does it protect against compromise, but it also provides ultimate control over authentication. If one no longer wi
Re: (Score:2)
For a Web world, compartmentalisation of sign-on is vital.
Only up to a point.
I have 128 logins that I keep. I know that because don't remember any of them, I have a file full of them. When I use Yet Another Website, I'm really tired of making Yet Another Login.
If one no longer wishes to have dealings with a site, it is easy to randomise the password and delete the corresponding e-mail alias.
If you think that using openId from Site A to log into site B gives site B ways to continue having dealing with you a
Re: (Score:2)
> I've seen a fair amount of OpenId around recently. You can sue it on Blogger and LiveJournal. If it's a "last gasp" for a declining technology, how do you back that statement up?
I looked-over the list on openiddirectory.com; 634 participating sites. That's greater than zero, admittedly. Just about.
The story of SSO in e-commerce is brief and inglorious. ebay dropped Passport support in January 2005; Amazon never got onboard; Google established its own intra-domain federation; Yahoo announced Ope
And if it gets stolen? (Score:2)
The obvious concern here is that if your openid user+pass gets stolen, you just lost everything.
Most people seem to user the same user+pass everywhere anyway, and if you had one password compromised on a keylogger or public terminal you probably had them ALL compromised.
So maybe it's still an improvement, but it should be considered as a very serious concern.
Re: (Score:2)
But at least OpenID puts the matter into your hands (if you so desire). If you recycle usernames and passwords (as many people do) then a compromise of any site (and these sites are beyond your control; a third party merely needs to make a mistake, and that happens all the time) and your credentials are compromised and can be used to take your identity on other sites.
With OpenID, if you run your own provider,
single point of identity theft? (Score:2)
Although, most idiots today use the same username and password for everything anyway.
Username Squatters? (Score:2, Interesting)
I can see this now, people rushing to register OpenID unique usernames. Currently, with these 100million accounts, the same username could be used by 4 different people across 4 different sites. Now we'll have people squatting to reserve usernames which are unique across all four sites.
We'll end up with the same problem we have now with domainnames, grandma will have to register with grandma_alkjs because grandma_mimi will cost her $100 to get from a squatter.
Re: (Score:2, Insightful)
Kind of a bad idea. (Score:2, Insightful)
...even if your data doesn't get stolen, doesn't get lost, and doesn't get compromised in any other way, this is a BadIdea(tm) from a privacy point of view.
Why? Because if you care about your privacy on-line, one single clue about who you are will give away who you are *everywhere* [on the websites using OpenID authentication]. Have your real name of Facebook? Everyone on the net will be able to find *your* MySpace, AOL, Yahoo, BlogThis and IMThat... account.
Even if you don't have your real name anywhere: y
A Major Advantage You're Missing (Score:5, Interesting)
All the concern about too many eggs in one basket is certainly valid. However, one major advantage of a centralized login system is being missed here: the ability to change all of one's password easily on a somewhat regular basis. As it stands now, I have so many accounts, many of which use the same password, some of which use variations of that password, etc., that the notion of going through and changing all those passwords is completely daunting. Hence, I never do it.
With openID, every time I got a bit nervous, I could change the one true password, and still have to remember only it. A good openID provider could even give reminders or enforce a password expiration, which would go from extreme nuisance when done on an individual site basis, to real additional security, potentially offsetting the loss of security inherent in the single point of failure for many users.
yay for... (Score:2)
single point of failure!!
I'm glad I got rid of MySpace about a year and a half ago. I never really do anything with my blogger account, and i'll probably buy my own domain again to get away from gmail.
To paraphrase Ian Malcolm, what they call progress, I call the rape of the digital world.
Ok, the summary and article stinks (Score:3, Insightful)
GAWD the amount of "OMG Single point of failure PONIES" posts is ridiculous.
You do NOT give OpenID all your passwords and logins.
It's not turning all those accounts over to a third-party and them giving you a single login and password.
It's using ONE account at MANY other sites in a limited form.
Example: using my account here (http://www.slashdot.org/~GrumblyStuff/), I'd post it into the separate OpenID field on say... MySpace.
This takes me to a confirmation page on Slashdot that requires being logged into said account. You're logged in? Then everything is peachy and you can be added to friends, add friends, write comments, whatever on MySpace. You'll have an account there that simply has a link to your Slashdot account.
THAT'S IT.
I RFTS. I RTFA. I even went to the OpenID website [openid.net] to make sure they hadn't gotten some dumb fuck idea like most everyone writing comments here is freaking out over.
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
I don't know how AOL, Wordpress, and Yahoo fit in (if they got blogs or if it's to be used with IMs or email) but it works alright with regular blogs. (I don't know wtf Vox is though.)
Re: (Score:2)
Note the key phrase "eliminates the need for multiple usernames". That means not needing an accound at MySpace, Facebook, or Livejournal to message a friend.
That's not entirely true. It might've been the goal of OpenID to eliminate the need to have different accounts on different sites, but in reality it only eliminates the need to remember different usernames and passwords. Relying parties could still require you to fill out a form to sign up the first time you log in with your OpenID. There's a chance you'll need to choose a username, and maybe even a password. The only difference is you wont have to remember them.
Re: (Score:2)
Then there'd be no difference between OpenID and just signing up and checking that box that says "Remember this password" in which case, HEY, they just made themselves entirely redundant. That or at least such a nuisance people will settle with posting anomynously or simply making an account there.
In either case, I fai
Running one's own authentication (Score:2)
Public keys ? (Score:3, Insightful)
Your password stays on your machine, and never gets shared over a network. This would eliminate needing multiple passwords for multiple sites. It works well for SSH, which I think is a tad more secure than having username/password pairs being sent to a myriad of different sites.
Also, a public key based system, would allow you to be anyone you wanted on any site, as long as your public key could be validated against your private key.
Kind of like a validated session cookie, you could visit a site and instantly be logged in as the user you specified originally. My password for my SSH private key is a fairly long sentence, but I only have to enter it once per local login session ( I use the SSH agent). If the sites I visit were to make use of that, then I would never need another username-password pair again.
Of course this idea is not new and the principle can be found in many flavours of password storing agent software, but they all use their own standards, and they all transmit the stored password, rather than just sending a 1 or a 0.
Note I do not propose that the browser handles the verification, but that it hands off to the OS for verification, then takes the OS's response and transmits that to the web site concerned. Said website can then use a session cookie to track state as usual.
wonderfull (Score:2)
Now I only have one username and password to hack and your world is mine
OpenID is a terrible idea (Score:2)
This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.
OpenID is a terrific idea (Score:2)
OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).
Re: (Score:2)
There are already better tools that work with all sites for remembering passwords. Firefox is but one example. It can remember logins and passwords for any site and protect the password list using strong encryption. To use OpenID with any confidence, one must trust an OpenID provider. You can ru
defacto standard? (Score:2)
Forum software (Score:2)
Anonymous SSO? (Score:3, Interesting)
Re:Anonymous SSO? (Score:5, Informative)
Re:Anonymous SSO? (Score:4, Interesting)
I would really like there to be different levels of how "signed-in" you are, and me be able to set on the site how "signed-in" I must be for the account to be accepted.
For example, just a persistent cookie might be enough to allow "level 1" authentication, which means I can see my Google homepage.
My password might be needed for "level 2" allowing my into my webmail.
A SecurID token or smartcard and password could get me "level 3" allowing me to do online banking with my OpenID.
With the current state of affairs though, I think we can but dream...
Re: (Score:3, Informative)
Nothing about the OpenID spec requires an e-mail address, or even a password: http://www.jkg.in/openid/ [www.jkg.in]
Re:OpenID? (Score:4, Insightful)
> Who cares about a unified username/password "experience".
fair enough, but i think for many users it would be cool to have a unified identities across several sites. ie, so my MySpace social network could be parsed by YouTube or my favorite online game or what have you. Not saying it's for everyone, but there's certainly some value there for some.
Re: (Score:2)
nothing stops you from getting several openid accounts - one for all your social networking sites (so if one gets hacked, so do the others - its still not that much of a big deal once you're older than 12).
For my bank, I don't use openID. For my email, I might be persuaded to use 1 openID for several email accounts. For crappy websites/forums that need a login but are really not that important, I'd like to use a single openID account for them all.
This would be a lot better than using the same username and p
Re:OpenID? (Score:5, Informative)
Re: (Score:2)
Re: (Score:3, Interesting)
Who cares about a unified username/password "experience".
I think that would be almost everyone who's tired of remembering (or writing down) a hundred different passwords, as well as everyone who's already using the same password everywhere because (see previous).
A single username/password combination is an idiotic idea which means one site getting compromised compromises ALL websites you've a openID profile. Who thinks of these idiotic ideas?
You.
The people behind OpenID thought of it as a problem to solve and found a solution. Newsflash: If my game (see footer) accepts OpenID as a logon mechanism (and it will, once I get around to coding it), I won't get your actual login data. What I'll get is a way to ask thirdparty.com if you really are du
Re: (Score:2)
But how well distributed would this be in reality? The Long Tail will help us and hinder us. Let's say that the majority of /. readers and their ilk set up their own servers.
But the vast majority of the population, if OpenID became popular, would in reality use a handful of service providers. A successful attack, either technical or social, would result in access to their credentials.
A successful OpenID service provider may as well paint a bullseye on it's back. And going to the paranoid extreme, what is to
Re: (Score:2)
The honey trap server *is* a real possibility and chink in the armor. The Infocard people think their plan fixes this, because your local PC would have to be compromised, instead of your session just getting a bad DNS entry taking you to the honey trap. It's harder to compromise 10,000 PCs to get 10,000 identities (versus being a man-in-the-middle to one web site to get 10,000 identities).
I actually want Infocard to take off, but more people seem to like the OpenID plan. Heck, I submitted a /. poll asking
Re: (Score:2)
You might not understand how OpenID works. You appear to think a compromise of any of the sites compromises them all. Nope. Your OpenID provider is the one and only site whose compromi
Re: (Score:3, Interesting)
What we need is the opposite of this scheme.
We need to store our passwords on our own local trusted machine. Like on our personal mobile phone with tested HW encryption, which requires multifactor ID: thumbprint, voice recog, keyed PIN, retina scan. In fact, that device shouldn't store some simple password data, but rather a onetime password generator that generates unique secure password sequences for each challenging site. Maybe the phone should send the password via IR/Bluetooth or a phonecall, but secur
Re: (Score:2)
OpenID lets you do that, though I haven't heard of a provider implementation that actually does that, yet. Shifting to OpenID is what is going to let you get what you want, because it centralizes the authentication and you can control that central point and
Re:One Password to Rob Them All (Score:5, Informative)
Maybe you should try reading the spec then, since that's exactly what it's designed to do.
The only place that gets your plain text password is your OpenID provider, and whenever you try to login to another site using OpenID, you get redirect to your provider's site, where:
1) If you don't already have a session open, you login, and then go to 2.
2) You get asked if you really want to login on the client site, and if so, what information do you want to let them have (usually anything from "nothing at all" to "everything", or a combination of them).
This way the only site you need to implicitly trust is the OpenID provider - which if you choose can be on your own server, running your own code, with whatever means of authentication you like.
If you're feeling really paranoid you could even have it send you a text message, or electrocute your balls, every time someone logs in with your credentials, so that even if someone does get them you'll know as soon as they try to use it, and can disable or change them.
Re: (Score:3, Insightful)
Ok. So don't use it. The fact is that many (most?) of us have one or two email accounts that we use for registration purposes. If our email was cracked then all of those registrations are toast. From what I've read, OpenID provides a way to replace this hack (email is not meant for personal identification... it's meant for communicating text efficiently) with a registration system that is as secure as the provider you choose to sign up with. There are providers that give you the same lack of security a
Re:DO NOT WANT (Score:5, Insightful)
And if only ONE of those websites is compromised, my login is now compromised across the board,
Take the trouble to read up on OpenID, and you'll find this is not the case. Having one site which you log in to compromised will not compromise the others. The only way you'd lose control of your openid identity is if your openID provider was compromised.
You can also select how much information you disclose to different sites, revoke permissions to certain sites, and choose more secure login methods like certificates.
Re: (Score:2)
Really?
Oh, so one site being compromised WILL result in all of your accounts being compromised after all. Please get your story straight. This is a terrible idea and is just trading security for convenience.
Re: (Score:2)
I suspect that you're just being an ass and intentionally missing the point.
With OpenID, you have a provider and multiple consumers. If any of the consumers get hacked, your account on the other consumers will not, by association, be hacked. If your provider is hacked, all of the consumers will be compromised until you can switch your provider. So the original poster's assertion:
There are some websites/services I just plain old don't trust with some or all elements of my real information. And if only ONE of those websites is compromised, my login is now compromised across the board
is either disingenuous or the result of a misunderstanding. If you don't trust a website, don't make them your provider. But
Re: (Score:2)
Re: (Score:2)
Also it should be noted that you don't have to use passwords to authenticate with your provider. MyOpenID supports certificate based authentication, and have just started offering CallVarifID(TM) [myopenid.com], which will phone you when you sign in.
Regards
elFarto
Re: (Score:2)
Re: (Score:2)
Some parts are true. My ID is also kinda long. I don't like the idea of a user name being a URL. Could've been done better, like one HUGE DB that sites validate against, with mirrors to back up too.
Re: (Score:2)
I don't know about other blogs, but WordPress with the OpenID plugin will let you list multiple openid urls that will allow access to your account.