Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

The Case for OpenID 229

An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."
This discussion has been archived. No new comments can be posted.

The Case for OpenID

Comments Filter:
  • No way! (Score:4, Insightful)

    by Anonymous Coward on Tuesday December 05, 2006 @08:34AM (#17112228)
    Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?

    Urgh, no way! I do not want all my identities to be tied together through one system. My actions on one site should in no way, shape or form be able to be tied in with what I do on other sites. Compartmentalizing my online life is the best remaining way to remain a modicum of privacy and stave off easy identity theft.

    Any website switching to openID exclusively will lose my business. (Of course, if they offer it in addition to a standalone u/p, I'm fine with that, although I do fear that once it gets enough momentum, the standalone u/p will disappear after all.) :/

    • by G4from128k ( 686170 ) on Tuesday December 05, 2006 @08:45AM (#17112322)
      Any website switching to openID exclusively will lose my business

      There's no need to abandon a place just because they use openID. Why not setup multiple IDs with different user names, passwords, and email addresses? (I assume that's possible under OpenID?).

      I agree that a single collection of IDs (all-eggs-one-basket) represents a dangerous single point of failure. But just because someone implements a new potentially better basket doesn't mean you have to put all your eggs in that basket or avoid using sites that use that type of basket.
    • Re:No way! (Score:5, Interesting)

      by mmurphy000 ( 556983 ) on Tuesday December 05, 2006 @08:50AM (#17112382)

      There's been discussion of OpenID providers offering aliases, so you could have a number of distinct "IDs" you mix-and-match with, but they're all validated by an OpenID provider. I don't think the spec says one way or another regarding this; it would be a feature of whichever OpenID provider you used for your identity.

    • Re:No way! (Score:5, Interesting)

      by Blakey Rat ( 99501 ) on Tuesday December 05, 2006 @08:53AM (#17112404)
      Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about. If I have to register to post a comment on some blog, I don't really care if someone steals that registration or password because I'm not likely to ever visit that blog again. If I could use a single ID to avoid registering at different sites 4 days a week, I'm all for it.

      The second point is that nobody's holding a gun to your head and forcing you to use it. If you don't like it, just create a new password for each site anyway. It doesn't prevent that.

      (Sidenote: Stop requiring registration for moronic things! I don't want to give you any personal information to post in a damned blog!)

      (Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)
      • by sverrehu ( 22545 )

        (Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)

        I'm sure all of them will be extremely enthusiastic about my new uber-cool, super high tech suicide machine.

      • Re:No way! (Score:4, Interesting)

        by Not_Wiggins ( 686627 ) on Tuesday December 05, 2006 @09:58AM (#17113074) Journal
        Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about.

        Then try an approach that I've found incredibly useful... use generated site passwords along with address extensions!

        First, for passwords, you only need to remember *1* and have the following javascript (which runs client side) from this most excellent site:
        GenPass. [zarate.org]

        Next, look into using address extensions (ala what are available via postfix) and define unique addresses per each site you visit (most that I visit have adopted the email address as the username).
        For those not familiar with address extensions, you get a base user id within your email system that you're allowed to dynamically apply an extension to and it'll still get delivered to your base box. So, if you're "sam@abc.com" with an extension, the address "sam+slashdot@abs.com" will still deliver to your base mailbox.

        Then it is trivial to figure out which site leaked your address for spam as well as start blocking a particular address (either by using procmail or a combination of postfix with an SMTP proxy such as smtpprox. [latency.net]

        And while we need to tech savvy of the world setting up the mailserver side of things for our less tech-interested friends (I've done this for friends and family and host mail for them), it simplifies by effectively making it easier to manage multiple identities instead of depending on a bastion one.
        • >First, for passwords, you only need to remember *1* and have the following javascript (which runs client side) from this most excellent site:
          GenPass.

          Quite a few options for this functionality. Last time I reviewed them, my favorite was pwdhash [mozilla.org].
      • Way! (Score:3, Insightful)

        by PopeRatzo ( 965947 )
        It is possible, you know, for a technology enthusiast to have some understanding of the fact that most people who use the internet are NOT technology "enthusiasts" (your term).

        Expecting actual humans to remember a host of usernames and passwords just to be able to participate in online discussions and shop for a book is not acceptable. Why can't techies get it through their heads that user friendliness is an important part of elegant software design? Security people seem to have the hardest time with this
        • Re: (Score:2, Insightful)

          by mha ( 1305 )

          On the flip side, I don't expect my car, my house, my office and my bicycle all to be unlocked with the same key,

          VERY bad analogy - you don't need ANY keys to enter a store, coffee shop, etc. in the real world, but on the Internet you do! In the real world you need keys only for YOUR stuff, on the Internet they won't let you in without one even though the places are "public". (I'm not complaining about THAT, the spammers caused a lot of that so I don't blame the site owners. You'd install ID-checks at your

        • by bigpat ( 158134 )
          What? You just totally supported the point of the person you are replying to, yet you wrote in a tone that made it appear you were rebutting his argument. So, you just said the same exact thing, that you didn't want to have to remember a bunch of passwords either, and then get modded "Insightful"?

          Okay then, I'll play along then... I totally disagree with you, having a lot of passwords sucks. I can't believe you would suggest something like that.
      • Get a decent browser that remembers passwords, was that sooooo tricky? didnt think so.

        And for multiple computers? well i would be using portable firefox in the first place so you dont leave bits of junk behind...
        • Get a decent browser that remembers passwords, was that sooooo tricky?

          In short, yes.

          Because half the sites don't even use SSL, and a tenth of them are things I need to be ridiculously secure. That means the best way would be to randomly generate them all, which means if my Firefox profile dies (has happened before) I'll have to re-register them all.

      • >Stop requiring registration for moronic things! I don't want to give you any personal information to post in a damned blog!

        I don't want to have to carry keys to unlock my house and car doors...
        And I don't want to require people to give out personal information to post in my blog but unless I do so, it's filled with spam postings and morons gabbling about politics.
    • by BokLM ( 550487 ) *
      Well, just because you can doesn't mean you have to. You can use one OpenId for all the sites you visit, but you can create one for one web site (there's no limit on the number of OpenIds you can have).

      By the way, do you use the same password on all the websites you visit ? If so, if someone can steal you password (the owner of one of thoses websites can, for example), then he can log into all the accounts that you use with the same password. With an OpenID you only have to remember one password, and there'
    • Some info direct from the spec that might alleviate some of the paranoia:

      So, to use www.example.com as their Identifier, but have Consumers actually verify http://exampleuser.livejournal.com/ [livejournal.com] with the Identity Provider located at http://www.livejournal.com/openid/server.bml [livejournal.com], they'd add the following tags to the HEAD section of the HTML document returned when fetching their Identifier URL.

      Now, when a Consumer sees that, it'll talk to http://www.livejournal.com/openid/server.bml [livejournal.com] and ask if the End User is exa

    • by Intron ( 870560 )
      What's to prevent you from setting up multiple IDs? You can still be "brad@livejournal" and "sexysue@hotbabes.com" if you want. You just need to have accounts at multiple OpenID servers.
  • by lidocaineus ( 661282 ) on Tuesday December 05, 2006 @08:35AM (#17112234)
    ...but there's no real easy server implementation on Linux (or any other OS) that doesn't require you to do a decent amount of interfacing with the libraries. In other words, if you have time, it works great (ie, your employer wants you to work on an OpenID implementation project). If you just want to host some IDs on your personal box, there's no easy drop-in server software, or even reference software; my non-coder friends can't even begin to use it. I mean even Jabber has jabberd that you can build on.

    Anyway I'm sure that'll change in the future, but it'd be nice to have now. Or maybe I'm completely blind and there's a reference server implementation hanging around somewhere?
    • There is a very simple PHP-based server that I came across a while ago, although it's pretty much a minimal implementation.

      Irritatingly, I can't find it now, though...
    • My non coder friends can't even register! You have to alter the HEAD portion of an HTML document that you own to authenticate yourself. People with just a myspace page can't do that!
      • The idea is that the service provider (e.g. MySpace) does it for them.
      • Er, that's exactly what I said. If you want to run YOUR OWN IMPLEMENTATION, you really can't unless you use someone else's (at this point, I'm still looking at this PHP server). This is unlike apache, postfix, jabber, proftp, etc etc etc that you don't have to know how to use APIs to use - you build the software (or install a package) and configure it on your local server. A couple lines in the HEAD section aren't going to do much to authenticate you if you don't have anything to authenticate against.
    • by fbjon ( 692006 )
      You have to create one yourself. Just make sure to deploy a radically decentralized dev-team framework too, with superior identity-related defocus.
  • by Mr. Underbridge ( 666784 ) on Tuesday December 05, 2006 @08:36AM (#17112236)

    reportedly growing 5% every single week.

    Translation: last week the install base consisted of his algebra class. This week he installed it on his mom's computer. Next week he's going to grandma's house and he'll install it there too.

  • WOW (Score:3, Funny)

    by giorgiofr ( 887762 ) on Tuesday December 05, 2006 @08:36AM (#17112242)
    Now if they only leverage their know-how and implement top-of-the-line solutions thanks to their syniergies, they'll be buzzword 1.0 compliant, too! I can't wait!
  • by a_nonamiss ( 743253 ) on Tuesday December 05, 2006 @08:38AM (#17112258)
    It's all well and good that I can write my own implementation of Diffie-Hellman key exchange, but if my mother can't go to a site and quickly and easily create a login, it's not going to work. I'm not at all saying it's a bad idea. Technically, it's a wonderful idea, but it has to be made so simple that anyone can access it, otherwise people are going to continue to use stupid services list Microsoft Passport.
    • For many people, I suspect they will get an OpenID as a side-effect of joining some specific service of interest. For example, IIRC, LiveJournal IDs can be used as OpenIDs. So, people who joined LiveJournal to blog get, as a benefit, an OpenID they can use elsewhere (e.g., commenting on other blogs). So, in the case of your mother, she might well wind up with an OpenID from an existing service that converts to OpenID as a provider -- for example, it would be fairly easy for Yahoo or Google to offer OpenIDs

    • who needs Microsoft Passport when there's Card space [netfx3.com]. I wonder if anyone is ever going to implement card space, even microsoft!
    • I think the other respondent hit the nail on the head.

      Most people (aka, 'your mom') won't know that they're using an OpenID at all. Instead, they'll probably just think of it as the ID of whatever service provides the OpenID authentication. So LiveJournal or whatever, but potentially in the future a more mainstream provider like Yahoo. I'd expect that sites which used OpenID and catered to a non-technical audience might even disguise the fact that it's OpenID (instead, "Sign in with your LiveJournal ID here
  • by pHatidic ( 163975 ) on Tuesday December 05, 2006 @08:43AM (#17112314)
    So has anyone else noticed it seems like there is nothing new happening in the Internet in the last couple months? Well actually there is interesting stuff happening, it's just that Reddit and Digg have been taken over by spammers so you'd never know it otherwise. The thing is the more eyeballs a certain website has the more temptation there is to cause mischief, so a website can never go above a certain quality threshold without an identity system to ban trouble makers. Both Reddit and Digg have hit this threshold, so it will be impossible to get better news without a system like this.

    The problem though is that OpenID is currently just a framework. There is no way to prevent people from making 100 accounts, which is still the problem. Once we have a way of making sure each person only has one account, even if we don't know who that person is and can't identify them in any way, then and only then will social software be able to break through this quality barrier that it is currently capped it. I wrote about one way of doing this here [alexkrupp.com], and there are other ways. Hopefully within the next ten years we can have this problem solved, to enable the next generation of web apps that aren't even possible today.

    • Re: (Score:3, Insightful)

      by Elyas ( 59360 )
      Actually, that's really only true if you go about it by trying to "find" the bad users.

      If you want, instead, to look for good, legitimate users with regular useage patterns, the only thing you need is the data and a single sign-on distributed across the systems. You make it easy to get a bad reputation, and hard to get a good one, just like real life. Then voting systems can more heavily favour the consistently useful users, etc.

      Finding the bad guys is whackamole, and useless :)
    • I'll be rooting for the people who break it. Among the things I like most about the internet are anonymity and the ability to shut off account from each other, thus I'll keep trying to maintain them, even if these very virtues make the net less professional.
    • Re: (Score:2, Informative)

      by IL-CSIXTY4 ( 801087 )

      There is no way to prevent people from making 100 accounts, which is still the problem

      Actually, that's something I see as a feature. Some people have facets of their lives that they don't want tied to and searchable by their "pubilc" OpenID. Having multiple OpenIDs allows one to keep their private and work lives separate, for example.

      Now, one person having 100 accounts that they use to troll message boards...that's a problem best solved with a reputation system, and OpenID's creators make it clear on

    • Hopefully within the next ten years we can have this problem solved

      Dude, it'll be too late by then. We'll be up to web 10.0 by then easy.
  • by Toby The Economist ( 811138 ) on Tuesday December 05, 2006 @08:48AM (#17112374)
    > reportedly growing 5% every single week

    And WTF does that actually MEAN?

    It superifically appears to assert that the number of people using OpenID is growing each week by 5%.

    Is this the number of people *actively* using OpenID, or the total number of ALL users ever, e.g. including those by people who've used it once and then walked away?

    Is this the totaly number of people across ALL OpenID service providers? this seems unlikely, since someone would have had to have done the work of collating all the stats from all those providers.

    If it is then just a sampling of providers, how was the sample chosen? is it representative? or was it opportunistic, e.g. those OpenID service providers who are loudest about OpenID and so could be expected to tend to be those who see the largest growth rate in users?

    Also, 5% each week sustained actually means an ever increasing absolute number of users, since it's 5% of an ever larger user base. When your user base is 100 people, 5% is five 5 new people, which isn't hard to sustain on a week in, week out basis. So what is this 5% - which could be completely inaccurate anyway, since we've no idea of the sample it's based - 5% *of*?

  • Can I wrote an app that automatically collect the credit card number of any subscriber of that service that is visiting my site (just to check they are 18, of course)? In other word, can anyone do whatever he want with the data or is there a good protection?
    • Nope, you can't. The users need (at least for the first time they visit your site) to type their OpenID address to your site, they will then get redirected to *their* OpenID provider site to verify what data should be made available to your site. Oh, and AFAIK noone uses OpenID for CC info...
  • From the article:
    Entrepreneurs and intrapreneurs, for whom OpenID provides a fertile ground for innovation, such as:

    - reputation services, which help both end users and site operators and represent a major business opportunity in itself;
    - open social networks that are not confined to a single vendor's site;
    - more secure, efficient and accountable messaging systems that one day could replace the protocols that e-mail runs on.

    Some have told us they consider the OpenID community to lack a clear pro
    • by hey! ( 33014 )

      What are the "real" problems?


      Easy. All the special cases of "How do I make money with this?" to start with.

      No matter how good the system, that's going to be limiting factor in vendor support at the outset.
    • by iabervon ( 1971 )
      OpenID allows some unknown server to authenticate you to its own satisfaction. That is, if slashdot wants to prohibit random people from posting as iabervon@livejournal.com, such that only someone able to post to livejournal.com as iabervon@livejournal.com can post with that attribution, it can use OpenID to find out. (And OpenID does this in such a way that the site that's required authentication can't turn around and steal your identity.)

      But it doesn't have a mechanism for the unknown server to prove that
  • The president of Sxip made some good points about personal identification and how it should work online, even if Sxip's implementation isn't perfect.

    In the real world, we have organizations that create forms of ID, and other organizations that need to identify us. I have a birth certificate, a library card, a passport, and a credit card, for example. These all certify certain personal details about myself, and they don't all cover the same details. What's also important is that they're portable, they're sec
    • What you're suggesting here is something that can be achieved by openid - simply have the government run an OpenID server. I certainly don't want to lose the ability to be pseudonymous online, but I can see other people wanting to assert their true identity. By having a government-backed authentication server, everyone can have their own way.
  • by cortana ( 588495 ) <sam AT robots DOT org DOT uk> on Tuesday December 05, 2006 @09:38AM (#17112828) Homepage
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    OpenID seems rather complex. There are already decentralised systems for authenticating a user's identity. But, if it gains momentum I would be happy to use it. One thing I can't work out is how I can create an identity. I have my own domain name and web site; I don't want to rely on Livejournal or another third party to maintain the notion of my identity.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFFdYQlshl/216gEHgRAk00AJwLvCf xLrtlKGDHcrIp7jidODlrTQCgqCPx
    czXJO4lwp5Znr+A7sSr rPJA=
    =MeMH
    -----END PGP SIGNATURE-----
    • Re: (Score:3, Interesting)

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Indeed. OpenID also seems too unreliable. What's to say the server my blog is on won't get hacked again? What's to keep the crackers from using that to forge my identity? There's no signing mechanism, no challenge/response, and it doesn't even bother to protect my "identification" from interception or duplication! All it does is prove that I have access to the blog I linked to.

      What I want is a complete solution that allows me to prote
  • My personal frustration is sites that don't let you use an email address as a username; an email address is pretty easy to remember.

    If you're really worried about a low-security "single sign on" solution (which this article seems to suggest), why not just leverage one of the many cookie schemes advertisers use to track you all over the net? (The end result is the same.)

    • by Nurgled ( 63197 )

      I guess you're joking, but OpenID actually uses a scheme very similar to how advertisers track users cross-site. The difference is that OpenID is designed with your interests in mind rather than the advertisers, so random sites can't just track you without your permission.

  • Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations?

    With their own registration system, site owners can add features that make spammy registrations difficult (I'm getting 10 or so daily spammy registrations). Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. So what are the options for countering spam? Can you add extra checks and validation? User verification? Black

    • I'd imagine you can ask for some CATCHA along with the URL.
    • by Jerf ( 17166 )
      I know the OpenID folk say "this is not a trust system" and that is not the problem they are trying to solve. But it needs to be solved for it to be widely useful!
      How do you propose that we solve the trust problem, without an identity solution to hang it off of?

      You know, it's acceptable to solve one problem at a time. It's how real engineering is done. Try to solve this entire thorny problem in one fell swoop and you get Microsoft Passport.
  • The thing with frameworks ... is that over time implementation costs increase, and interoperability decreases, as you add more concrete stuff within the framework. They give the illusion of value.

  • If you're writing an article dealing with issues of trust, especially if you're about to solicit the reader's trust in the subject of your article, make sure to start the article with the word "Verisign". You need write no more...
  • A number of other posts have alluded to 'whats the problem with identity'. In the FWIW department a summary of the important issues from someone who has spent a long time working in the field:

    1.) There is no standardized method for defining identity.

    2.) Services of value impose the Reciprocal Identity Management (RIM) problem.

    With respect to point 1, is your identity?

    mdoe

    112233

    Mary Doe

    mdoe@SOMETHING.ORG

    http://www.something.org/mary_doe

    All of the above 'representational identities' are very

  • General Reply (Score:4, Informative)

    by Jerf ( 17166 ) on Tuesday December 05, 2006 @11:10AM (#17114038) Journal
    This is a generalized reply to a number of comments that are either reflexively nay-saying the entire idea or are not understanding what this really means.

    The intent of OpenID (as I read it) is simply to provide an identity. An identity is just a name that at least one person has permission to use, and no more. Multiple people may be able to use the identity. Perhaps some aren't "authorized" (a vague, undefined term in this case), and obtained the credentials by hacking. Maybe one person has a thousand OpenIDs. It really doesn't nail you down, break your anonymity any more than posting with a Slashdot account that has no URL, email, or distinguishing username characteristic, or give the One World Government an ID to tattoo into your arm.

    The reason this is useful is that it gives further layering something to talk about. I can't tell my blog system "John Milquetoast Xavier is allowed to post on the front page", because the blog system can't understand "people". It needs "identities". But I can say "this OpenID is allowed to post".

    And all the OpenID system will tell me is that some person has authenticated with that ID. I can further restrict their activities; I can still require a CAPTCHA, I can require a paid account, I can do all kinds of things. There's no law that says I have to let everyone with an OpenID have full permissions on my site. (When I say that, it's obvious, but based on the comments clearly some people have this idea in the back of their head.)

    I can also go the other way; if your OpenID is from a site that I trust to verify you are a real human for some reason, I might allow OpenIDs from that site more permissions than one from the random internet. If my company sets up an OpenID server that we control and allow only our employees on, I might be able to trust OpenIDs from that server more than random strangers. (Assuming good security for the sake of argument.)

    You could set up your own OpenID server to do whatever. I'm sure that if this takes off, there will be OpenID servers that people choose to leave wide open to allow anonymous OpenIDs to be created by anybody. Maybe it'll simply say "Yes, that person exists" to any query with any password, if the API allows it. Using one of those won't tie you to anything.

    What you are worried about shouldn't be "identities", you are worried about "identities that can be tied to you". The generic OpenID specification can not provide that, since in the general case the OpenID server could be anything, including a compromised box, and you therefore can not trust it a priori. All it can do is provide a label. Excessive trust in an identity system is the real problem, not an identity system.

    I've been creating a weblog for myself lately that includes comment posting, and while I don't think I'm quite ready to jump to OpenID, it's actually exactly what I'm looking for. My spam-control solution will be to moderate every comment posted, but once an identity proves its bona fides, I'll whitelist it. All I want is an identity. I don't really care if I can map it back to a person, I don't care if 10 people are using it, I just want an entity that I can deal with in my database and grant it permissions to above and beyond what an anonymous user gets. OpenID would solve that problem nicely, because I have no intention of farming out to OpenID the question of how much I trust the identity, merely the existence of an identity.
    • by jilles ( 20976 )
      Good comments. I'm also a bit annoyed with the conservative ignorance being displayed in this thread. I've been reading about openid a few weeks ago. Essentially the idea is quite elegant and minimalistic (something that should appeal to the unix crowd here) unlike most of the federated identity crap from Sun and MS.

      The basic idea is to have a url as your login name + a protocol to verify whether the person claiming to be that identity is who he claims he is (authentication) with the server that owns the op
      • What would happen if you'd try to login to an openid enabled slashdot? Well as a first step, you'd provide your openid url to slashdot (without password). Slashdot would then contact the server where the openid url comes from and ask it to confirm the identity. Assuming this is the first time you visit slashdot and that you are already logged into your openid account, you will be redirected to the the openid site and it will ask you if you want to give slashdot permission to authenticate you and also what p

    • by geekyMD ( 812672 )
      Yeah, that answers a lot of the "Oh Noes the Guberment!" problems, but your own post has a logical fallicy.

      You say that it is meaningless to "exclude" people from using an ID in this context, but then in every example you use you are illustrating types of exclusion. If X is allowed to post on my blog, then it is implicit that there are others, not X, that are Not allowed to post to your blog. But if the identity X does not assert that "X" != "not X", then X is meaningless.

      The big problem with the OpenID w
  • I was also the one who made the "5% a week growth" claim (at the Internet Identity Workshop [windley.com] this week) and unfortunately it was not clearly quoted. "5% a week" describes the growth we are seeing in new relying parties (aka sites-that-support-OpenID). Yes, its impossible for this growth to keep up over time but its still a valid data point. Graph is forthcoming.

    I'm shamelessly linking to my own blog here but I think there are a few answers to the questions people are posting on this thread:

    * How do I choo [kveton.com]
  • Noblesse Oblige? Yeah sure.

    Follow the money, how do they expect to make a bundle on this? I'd
    like to see their plan before jumping in too quickly. Will there be
    an *upgrade* that all serious blogs need to make (only $99/year/cert)?

    Sorry to be cynical (well not sorry on /.) but having not read anything
    about this my $$ filter was triggered. Sounds really cool, worth investigating,
    but... pling pling pling...

  • For me, the idea would have very limited utility. Right now, I have an encrypted file that contains about 50 usernames and passwords. When I need to log on to something, I view the file, and cut and paste. Let's say that 20 out of those 50 sites were using OpenID, and the other 30 weren't. Then instead of an encrypted password file with 50 entries, I'd have an encrypted password file with 31 entries: the OpenID password, plus the other 30. Cutting the number from 50 to 31 doesn't really make my life any eas
  • So, when will we see OpenID login on Slashdot? What about being able to use Slashdot accounts as identities on other sites?
  • This may be a good idea, if it turns out to be secure. In the meantime, I'll keep my encrypted text file (via vi) on my main server, and when I need to log in somewhere that I don't remember the password, I'll ssh in, open it, and get it. Kind of a low-tech solution, but with cron jobs automatically downloading updates to other machines I have, I have encrypted backups of the file that stay in sync each day, so little risk of losing them, and only one master file to update.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...