Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Microsoft IT

Microsoft Joins the OpenID Foundation 142

wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)
This discussion has been archived. No new comments can be posted.

Microsoft Joins the OpenID Foundation

Comments Filter:
  • Color Me Confused (Score:5, Informative)

    by eldavojohn ( 898314 ) * <eldavojohn&gmail,com> on Wednesday October 29, 2008 @09:27AM (#25554551) Journal

    Microsoft Joins the OpenID Foundation

    What a joke.

    Windows Live ID just became yet another OpenID-provider.

    True.

    they have undoubtedly put even more weight behind the OpenID initiative.

    False.

    So, how long before I can use my OpenID to post on Slashdot?

    Oh poor poor wertigon. You won't even be able to log into MS Live with it. I can go to wordpress, verisign, aol and all that jazz and login with my OpenID. I can go to sites listed as OpenID and login when I've never even been there before. Yet, when I go to the page that Microsoft lists for Live, I can't. Why is this? Because they're only providing IDs, not accepting other OpenIDs.

    You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!

    That's it. That's all you get. No future plans are listed to accept OpenID accounts either.

    OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

    When Microsoft fully supports it--when they both accept and provide IDs--that's when I'll agree with this headline. Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

    • by Leynos ( 172919 ) on Wednesday October 29, 2008 @09:32AM (#25554611) Homepage

      This is still a useful development. I can now allow MSN Messenger using friends to read my friends-only livejournal posts without having to ask them to sign up for LiveJournal or OpenID (which most people outside of geekdom will not have heard of)

      • by Zebedeu ( 739988 ) on Wednesday October 29, 2008 @09:43AM (#25554835)

        Exactly, and this half-functionality is why this move undermines OpenID and what it stands for.

        You see, OpenID still works, but it works *better* if you use Microsoft's version. Soon enough you'll find that everyone's reaching for those MS ids just to remain compatible, and MS will get what they couldn't with their Passport scheme, or LiveId or however it's called these days.

        It's the same embrace, extend, extinguish bullshit again, and in my opinion, the community should just reject these MS-provided ids until they learn to play ball.

        • by HungryHobo ( 1314109 ) on Wednesday October 29, 2008 @09:53AM (#25555101)

          I just don't get the point of this. I go to a website and there's a little note *You can use your openid here!* and I sign in with it. but wait! it was a trick, they grabbed my username and password, now they have my openid login.

          Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

          • Re:Color Me Confused (Score:4, Informative)

            by Smelly Jeffrey ( 583520 ) on Wednesday October 29, 2008 @10:10AM (#25555395) Homepage
            Mod parent up!

            This question is one that appears to not yet have been raised in the OpenID security discussion [openid.net]. In these times of phishing [marcoslot.net] attacks [danga.com] on OpenID [itweek.co.uk] this should bear heavy on the mind.

            For more information, this article [wikipedia.org] is a good jumping off point.
            • by MindKata ( 957167 ) on Wednesday October 29, 2008 @11:18AM (#25556779) Journal
              OpenID also allows more easily data mining what someone says and does on different web sites, which is a dream come true, for all data miners.

              So once most people start to use OpenID, then all governments have to do, is pass a law, to either requiring them to know your OpenID, or for them get your OpenID by any other means, and then that's all they need, to workout everything you have ever said online. OpenID is one step away from removing most anonymity on the Internet. This news fits in with the other Slashdot news today, about the Internet Human Rights PR smoke screen...
              http://it.slashdot.org/comments.pl?sid=1011555&cid=25554573 [slashdot.org]

              Plus as people in power always seek power, then what they fear most, is the loss of power. So to them, finding out what people are saying is very important. (I.e. Knowledge is power). So one of the first things the some of the ones in power will do, is use widespead usage of OpenID to allow them to finding out every political view people post about them online.

              To big businesses and governments, OpenID isn't about convience of easy logins. OpenID to them, is about data mining and so it makes sense Microsoft would want to play along with that goal.
              • Re: (Score:3, Insightful)

                by Raenex ( 947668 )

                You can have more than one OpenID. Sites can still allow anonymous posting.

                Besides that, there's an even bigger id that most people are tied to and don't even think about -- their IP address. How much data flows through your ISP? Talk about single points of failure. People also tend to have one email address and don't use encryption.

                If you are concerned about government-thwarting privacy then you have to take active measures to gain it. OpenID is no more of a problem than any of the other things I have

            • Comment removed based on user account deletion
          • Re:Color Me Confused (Score:5, Informative)

            by Anonymous Coward on Wednesday October 29, 2008 @10:12AM (#25555439)

            There's no accredation. Login occurs by redirecting you back to your provider. You log in, or the provider establishes you're already logged in by means of cookies. Then your provider redirects you back, saying "yep, he's the holder of that openID".

            At no point does the accepting site get your user name and password. You can verify this by looking at your address bar. If you're still at the accepting site and they ask you for your user name and password, they're either doing it wrong or you're being phished.

            • So how does it tell the site that you're you? cookies can't be seen between sites can they, IP address wouldn't be reliable. Is it just a case of sending you back with a code in your get/post request?

            • by ChrisA90278 ( 905188 ) on Wednesday October 29, 2008 @11:54AM (#25557341)

              "At no point does the accepting site get your user name and password. You can verify this by looking at your address bar."

              I bet I could get thousands of user name/password combos be putting up a web page that simply asked users to enter their user name and password. They call this "phishing". It would work.

              Using any kind of login that is shared over multiple places is always not-secure. Best practice is to compartmentalize potential damage. So that if some one figures out my password for (say) this website they can't then get into my bacnk account and email. If common logins do become popular then "phishing" will become very popular.

              • Re:Color Me Confused (Score:5, Informative)

                by Rene S. Hollan ( 1943 ) on Wednesday October 29, 2008 @12:10PM (#25557593)
                Depends on what you use the logins for. I use common logins, or at least passwords, across several sites, particularly ones I don't care too much about, and different ones for sensitive sites like banks, etc.

                So, yes, the number of logins you have should be more than one, but does not have to be as large as the number of sites you visit.

                But, to explain how OpenID, LiveID, and all such systems work without the site requesting the authentication requiring the authenticating credentials, it's like this:

                1) You authenticate with the authentication site. You get back a magic number, or some similar credential.

                2) You present this credential to the site that requests your authentication.

                3) It contacts the authentcation site with it, (perhaps authenticating itself too using means like a client cert), provides the credentials you supplied, and gets back all sorts of nifty metadata about you.

                Your credentials expire after some amount of time.

                LiveID works like this for all Microsoft and Microsoft-partnered sites. And the same for OpenID.

                The issue with having Microsoft accepting OpenIDs (besides the obvious econo-political one) is likely the nature of the metadata being different between what OpenID provides and what LiveID provides (unless OpenID supports the notion of arbitrary metadata per site requesting authentication, and so could support the LiveID metadata format).

                • by richlv ( 778496 )

                  actually, you can choose not to send any metadata for openid logins - just your id. so any differences in metadata can't be a reason for not accepting openid logins.

                  • Except Microsoft services REQUIRE the appropriate metadata.

                    • by richlv ( 778496 )

                      well, i guess that's up to the to change this requirement then ;)
                      or one could set up a fake persona in openid provider and feed some crap data in the ms system...

                    • Well, M$ uses their single authentication point to also store metadata that is likely to be needed by many of their apps that look to that authentication point. OpenID would not have that metadata. (Though M$ could detect this, and create an OpenID->LiveID mapping and required the user to enter it the first time. Of course, it is in M$'s interest for the mappings to go the other way.)

                      The kind of metadata has to do with stuff like age, location, etc.

                      The thing is, not only can one single point authenti

              • OpenID and phishing (Score:4, Interesting)

                by jesterzog ( 189797 ) on Wednesday October 29, 2008 @02:38PM (#25559839) Journal

                This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur [openid.net], a well as a collection of recommendations.

                Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.

          • The site is supposed to redirect your browser to your provider for you to perform the actual login.

            Of course you do have to pay attention to what site you are giving your password to......................

          • How did they grab your password? If openid is done right, they don't need it.

          • Re:Color Me Confused (Score:4, Informative)

            by Arancaytar ( 966377 ) <arancaytar.ilyaran@gmail.com> on Wednesday October 29, 2008 @10:22AM (#25555669) Homepage

            Um, duh - the way to know if you're being phished is checking the URL and the site you're on.

            With OpenID, you will never have to enter your password on any site but that of the OpenID provider. If the site you want to access asks you for your OpenID password, you're being scammed.

            • the way to know if you're being phished is checking the URL and the site you're on.

              That is all well in theory until your DNS gets hijacked too and "www.myopenid.com" points to the phishing site instead.

              • So host your own OpenID provider with pictures of your kids or something. If you don't see pictures of your kids, then it's the wrong site.

                • A lot of sites are doing that, banks, etc.. they have an image identifier, and some text that goes with the image, that you inputted. That gets displayed on login.
          • Re:Color Me Confused (Score:5, Informative)

            by Dolda2000 ( 759023 ) <fredrik&dolda2000,com> on Wednesday October 29, 2008 @10:59AM (#25556429) Homepage

            Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.

            You have indeed missed the point, and even more than you think. You don't enter your OpenID password on the site you're authenticating to, at all. Ever. You just enter your OpenID username, and it redirects you to your actual OpenID provider, and there you enter your password (or, even better, use the SSL certificate installed in your browser, or your Kerberos credentials, or similar) to authenticate to it. It then redirects you back to the actual site with a cryptographic cookie that verifies your identity.

            If you're worried about phishing, that's a very different issue. Certainly a real one, though, but not anything you wouldn't be subjected to anyway. And, if you authenticate with something like an SSL certificate, it won't be a problem anyway.

          • Thats not how openID works. When you goto login using your openID you just putin your ID and then it redirects you to your openID provider to have you login/provide authorization etc.
          • Hmm, I don't think you get how OpenID works. I'm not an expert, but I've played with it a bit.

            You enter your OpenID URL ("login"), and you are redirected to your OpenID provider to auth (or if you already authenticated earlier in your browser session, then you're all set), and your OpenID provider says, "Yup, this is "X"" (and supply whatever info you tell it to supply).

            You never give your openid username/password to the website you're giving your openid URL to (although, usually the openid url is in some

        • Re: (Score:3, Interesting)

          "This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer. (Or in slashdot terms, everyone wants to top, no one wants to bottom).

          .There have been a spate of announcements recently with a number of companies both large and small announcing that their products will .support. OpenID. [.] All these OpenID support announcements and I am not getting anywhere with my OpenID. [..] it seems that while we have plenty of companies want [idcorner.org]

          • Re: (Score:3, Insightful)

            by cparker15 ( 779546 )

            "This move" is a fundamental problem with OpenID, not Microsoft specific. Everyone wants to be a provider; no one wants to be a consumer.

            Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

            • Everyone? Speak for yourself. All Web-based applications that I write now accept Yadis (specifically OpenID) as an alternative/complement to traditional username/password authentication where authentication is a requirement.

              Anything the slashdot crowd might be familiar with, or are you talking about your personal website?

              I consume OpenIDs in webapps, but they aren't public, so me stating that I use it in all my webapps doesn't f*cking matter.

          • Everybody that has a business plan other than showing you ads while you log on want to be a consumer.

            When OpenID was a new and untested thing, nobody working on unrelated projects had heard about it, so consumers didn't start using it. At the same time, people working with OpenID knew it existed, so providers started appearing. That is normal. Now that it is a little more known, there isn't a lack of consumers anymore.

    • Re:Color Me Confused (Score:5, Informative)

      by Anonymous Coward on Wednesday October 29, 2008 @09:42AM (#25554823)
      A lot of OpenID participants are provider only. Microsoft isn't helping the problem, but they aren't worse than a lot of other companies in this regard.
    • You put all the informative and insightful comments possible into one post you insensitive clod.

    • Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.

      I bet you doubted MS would ever become a provider of Open IDs too didn't ya? This news is progress. Don't be so negative about it.

    • Re: (Score:3, Insightful)

      by Blakey Rat ( 99501 )

      OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.

      The idea is bad in the first place. The fact that numerous large .coms are OpenID *providers* but don't accept OpenIDs from other providers is only a sym

      • Re:Color Me Confused (Score:5, Informative)

        by holt ( 86624 ) on Wednesday October 29, 2008 @12:13PM (#25557651) Homepage
        My understanding is that one should set up OpenID delegation [openid.net], which allows you to have a static OpenID but still use third-party providers for the authentication portion. Anyone with a web presence can do this, and it's actually preferred to hosting your own OpenID server since it shows that someone else also vouches that you are who you say you are. Here is some further reading [intertwingly.net].
        • Re: (Score:3, Insightful)

          by Blakey Rat ( 99501 )

          That's getting to a solution, but it's still far too difficult for the average person to do. And, if I'm understanding correctly, it actually makes your data held by THREE servers now:

          1) The server you're trying to log into
          2) The server hosting your "delegation" page
          3) The server providing the OpenID

          Someone correct me if I'm understanding this wrong.

          • by holt ( 86624 )

            I believe you're right, that all three pieces need to up and running at the time of the login. However, while technically all three do store some data about you, the service to which you're trying to log in doesn't know anything other than the public OpenID portion (i.e., your password or cert is still secret), and the authenticator service (to whom you've delegated) only knows that you've logged into a particular URL. The authenticator doesn't need to know anything more than that.

            I was addressing your co

            • I believe you're right, that all three pieces need to up and running at the time of the login. However, while technically all three do store some data about you, the service to which you're trying to log in doesn't know anything other than the public OpenID portion

              No, the site I'm trying to log in to knows a crapload about me: all the data I've provided it, and data that I still want access to even if my OpenID provider has issues. I'd rather just log in directly so I don't have to rely on OpenID to get to

              • by holt ( 86624 )

                Of course they know about the data you've provided to them directly. That's the whole point of logging in; I didn't think I needed to spell that out. Let me revise my earlier statement: "While technically all three do store some login-related data about you, the service to which you're trying to log in doesn't know anything related to your login other than the public OpenID portion"

                While I agree that OpenID probably isn't easy enough for non-geeks, at least not without hand-holding, I certainly wouldn't r

                • Of course they know about the data you've provided to them directly. That's the whole point of logging in; I didn't think I needed to spell that out. Let me revise my earlier statement: "While technically all three do store some login-related data about you, the service to which you're trying to log in doesn't know anything related to your login other than the public OpenID portion"

                  What bothers me the most is that my data could be lost through no fault of my own, and no fault of the site storing the data. I

    • I don't care about all that. All that I care about is that the tons and tons of MSN users are now able to login to my site without having to register an account at my site first. I don't care whether people can use OpenID to login to Windows Live.

      Microsoft supporting OpenID like this is a good thing.

    • General Slashdot
      Let X represent some technology
      X = Cool
      X + Microsoft Support = Bad
      X - RMS Support = Bad
      X - Microsoft Support = High Quality
      X + RMS Support = Morally Correct

      I like to judge X on X

  • Microsoft doesn't host any of my porn sites and I don't use hotmail. I'm just saying. Now if by entering the game they somehow prevent me from using openID at any of these sites... we'll have a problem.
  • Tinfoil Hat (Score:3, Insightful)

    by krgallagher ( 743575 ) on Wednesday October 29, 2008 @09:34AM (#25554667) Homepage
    "So, how long before I can use my OpenID to post on Slashdot?"

    So how long before governments require OpenID to eliminate internet anonymity?

    • Re:Tinfoil Hat (Score:5, Interesting)

      by dnwq ( 910646 ) on Wednesday October 29, 2008 @09:40AM (#25554759)
      Note to the oblivious: OpenID doesn't eliminate anonymity. Far from it.

      Wikipedia:

      Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.

      • Note to the oblivious: OpenID doesn't eliminate anonymity. Far from it.

        Being of a oblivious nature, I have a question for you:
        In what ways does the OpenID system promote user anonymity?

        • Re:Tinfoil Hat (Score:5, Informative)

          by DragonWriter ( 970822 ) on Wednesday October 29, 2008 @10:57AM (#25556373)

          In what ways does the OpenID system promote user anonymity?

          It promotes anonymity by allowing services to operate that require associating the initiator of one action with the initiator of a prior action, without requiring the "meatspace" identity of either. That is, it provides a reasonable means for a subscription-based service to verify "the person accessing this resource is the one that established this account" without ever identifying who the person is that established the account.

          Since many services rely on providing that kind of relation between the person establishing an account a person requesting a resource, it promotes anonymity to provide a means that allows those services to fill that need while users remain anonymous.

    • by soren100 ( 63191 )

      "So, how long before I can use my OpenID to post on Slashdot?"

      So how long before governments require OpenID to eliminate internet anonymity?

      Given that the government has been pumping the idea for a while that somehow terrorists are "recruiting" online [cbsnews.com] in places like Second Life [washingtonpost.com], not long at all.

      From the first article:

      It is certain that virtual reality is doing real damage with intelligence, recruiting, fund raising and the spread of Islamic extremism. This assault may start with bytes, not bullets, but American generals will tell you, its a hot war all the same on a battlefield called "jihad.com."

      Asked if the Internet is training up new ba

    • "So, how long before I can use my OpenID to post on Slashdot?"

      For the minor Slashcode website I run (see sig - thousands of unique IP addresses reached daily, but still very minor), a project with one partner requires our Slash website to be OpenID-friendly.

      We have little to no resources, so I can't provide any timeline or even if it will happen from us. But I sure want to. See also the slashcode-dev mailing list to learn more.

  • by TheRealMindChild ( 743925 ) on Wednesday October 29, 2008 @09:38AM (#25554735) Homepage Journal
    Patches are always welcome wertigon ;)

    Yeah. You are welcome to write a patch. That doesn't mean Taco will even use it. Don't let his comment mislead you.
    • yeah, but as implementing an OpenID consumer is such a doddle, I'm sure CmdrTaco could read the example perl docs [cpan.org] and slap it into the authentication system on /. in 5 minutes.

      The tricky bit is tying your existing user to your openid login.. maybe it'd take him 10 minutes :-)

  • by mpapet ( 761907 ) on Wednesday October 29, 2008 @09:41AM (#25554791) Homepage

    It might be okay for joe-shmoe consumer, but there are still common-sense issues standing in the way.

    First and foremost is the dead-simple notion, "You mean I'm going to trust a single source for EVERY password for every site I go to? No thanks! I've had my identity stolen already."

    If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

    • I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

      But you can't be trusted for providing your own identification. An identification credential relies on some sort of certifying authority.

      "Ok, Mr. Jones, I'll just need a piece of ID to cash this check."

      "Fine, here you go."

      "Um, what's this? A Polaroid (link for the kids [wikipedia.org]) with your name written on

      • by joeljkp ( 254783 )

        My concern with OpenID:

        Say I set up an OpenID with MyOpenID.com and use it to sign in to a dozen different sites, customize my account on those sites, create posts, store data, etc. Then MyOpenID.com goes away or starts sucking.

        What then? Is there an easy way to transfer an existing OpenID-linked account at end-user sites to a new OpenID?

    • Re: (Score:3, Insightful)

      by internerdj ( 1319281 )
      Yeah but I can't trust myself either. Who knows how many accounts I have. I don't. Ok so most follow the same general scheme but then you get the outliers who won't accept a normal scheme so you have to have a unique password for their site. There are several accounts I don't even bother to guess I just use the magic questions to log in. Wow you must either know my password or some semi-private information about me to get into say my mortgage accounts or my retirement accounts. I would welcome an enti
    • Re: (Score:2, Funny)

      by Anonymous Coward

      It might be okay for joe-shmoe consumer

      Joe is a plumber, stupid.

    • I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything.

      That's a great idea! I think you should call it OpenID [siege.org].

    • If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.

      Absolutely not..it is quite forward thinking IMHO. I think that the concept behind OpenID is exactly what the 'net needs, because it enables exactly that--the barrier is technically pretty low to provide your openID yourself--on your very own system! The fact that such a thing is considered "crazy talk" seems sad to me. Something that acts as a "server" should not be considered "too technical" or "for experts only"--such thinking is almost criminal, and ISPs should not be allowed to keep customers from h

  • What exactly is it about OpenID that makes it something I would want to use? Everything I've seen about openid is chocked full of flaws that makes me wonder why any site admin would want to use it.

  • by blowdart ( 31458 ) on Wednesday October 29, 2008 @09:42AM (#25554809) Homepage

    You don't have to join the OpenID foundation to become an OpenID provider. Funnily enough Microsoft did join; but in Feburary [microsoft.com].

    But as I ranted [idunno.org] on my blog, becoming a provider is useless these days; allowing authentication using OpenID would be far more impressive.

  • Provider only? (Score:5, Informative)

    by Kurt Granroth ( 9052 ) on Wednesday October 29, 2008 @09:53AM (#25555093)

    As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. That is, you can use your MS ID elsewhere but you can't use your existing ID on MS Live.

    This seems to be pretty typical of companies adopting OpenID. Lately, quite a few companies have trumpeted their OpenID support... yet in almost all cases, it has been as a Provider only. Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer).

    So this has resulted in a world where everybody wants to provide an ID but nobody wants to accept them. The goal is that I could create an ID on my own website (as an OpenID provider) and use that ID to log into Google and Yahoo and MS Live and the rest without having to create a separate user on all of them. The reality is that since nearly all of them are only providers, I would still have to create a ton of separate users.

    • Yeah - everybody wants the others to trust them, but nobody is willing to trust the other providers.

    • The people this is good for is smaller sites. Afaict most users will already have an account from at least one openID provider. Therefore people will be able to log into your small site without having to create yet another ID.

  • People can complain that just because Live is providing OpenID identities, that they can't log in to say, Hotmail, with an OpenID.
    How is this any different from AOL providing OpenID for their screennames?
  • by IGnatius T Foobar ( 4328 ) on Wednesday October 29, 2008 @10:03AM (#25555247) Homepage Journal
    As many here have already mentioned, OpenID is only useful when there are lots of web sites that are willing to be an OpenID Relying Party. Microsoft is not. They only want to be a provider -- which is no surprise. Microsoft doesn't want to be open and useful and let you log in with an ID from some other place -- they want to be your identity provider, because they want to be the ones in control of your online identity.

    Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.

    Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. [openid.net] No one controls it but you. For non-geeks ... please, anyone but Microsoft.
    • Re: (Score:2, Interesting)

      by fprintf ( 82740 )

      I wonder if you can run the identity server on DD-WRT? That would be cool without requiring me to keep my computer running all the time!

      • by Skapare ( 16644 )

        See the list of software. If you can't get any of those to run on DD-WRT with a web server (I note that there is no tiny implementation in C, yet), then see the protocol and write your own (please share).

    • by edavid ( 1045092 )
      I do NOT want to be dependant on an identity provider be it open or not. For me OpenID is just another tracking device, and what I fear is sites mandating its use. If you want to control your online identity, refuse the use of email addresses as login or whateverID system, it is the only way.
  • The cynical me (Score:3, Insightful)

    by Jeff Hornby ( 211519 ) <jthornby AT sympatico DOT ca> on Wednesday October 29, 2008 @10:03AM (#25555267) Homepage

    While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary

    The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.

  • Whoooops... (Score:4, Funny)

    by wertigon ( 1204486 ) on Wednesday October 29, 2008 @10:14AM (#25555507)

    Ok, remind me never to submit news stories while dead tired. You tend to miss quite a few things (like making sure the bloody headline is completely wrong; what I meant to say was "Microsoft joins the OpenID *Fray*").

    Nice getting pwned by Slashdot. I love you too guys!

    • Hmm, and I really should be using smileys more, as well... I mean it. Thanks for teaching me to remain humble. :D
  • Tinfoil hat?? (Score:2, Interesting)

    by Riot.ATL ( 1365395 )
    Does anybody else not like the idea of using one ID to log in to several web sites?
    • What's not to like about the idea? I have lots of accounts on websites with one fairly low-security password, and for these OpenID is a step forward in security (not that I care much, since by definition these are websites that I don't much care about security for). OpenID would be just fine for most of the sites I go to.

      For sites like eBay or PayPal, I've got separate strong passwords, and am not interested in using OpenID.

      I'm perfectly happy with using one ID to log in to several web sites, as long

  • I've been using SimpleID [sourceforge.net] for a personal OpenID provider, but it seems to have problems with a lot of popular OpenID consumers like Plaxo and even Sourceforge itself (or more properly, they have problems with it, like ".failed to check_authentication(): failed to verify response"). I'd like the idea of a multi-user provider so that my wife can use it to. Any suggestions?

  • I want to be able to just login with my simple username Skapare [blogspot.com], not some site name. That's not what OpenID does. And it really isn't going to work very well with billions of people all wanting nice simple names.

    • I want to be able to just login with my simple username Skapare [blogspot.com], not some site name.

      That isn't the job of OpenID--that is the job of the OpenID consumer as far as I can tell. You wouldn't WANT OpenIDs to be simple like yahoo or twitter or DNS, because you cannot guarantee uniqueness and name squatters will just take all the simple ones and you have the same old problem again.

      Proper implementation of OpenIDs would map the more complicated but unique URI-style ID to your site alias, and like any proper forum site does with email addresses your openID would be hidden from view for privacy re

      • by Skapare ( 16644 )

        That isn't the job of OpenID--that is the job of the OpenID consumer as far as I can tell. You wouldn't WANT OpenIDs to be simple like yahoo or twitter or DNS, because you cannot guarantee uniqueness and name squatters will just take all the simple ones and you have the same old problem again.

        And this is why a universal ID system just can't work.

        Proper implementation of OpenIDs would map the more complicated but unique URI-style ID to your site alias, and like any proper forum site does with email addresses your openID would be hidden from view for privacy reasons (so you don't get spammers and general marketing scum crawling forums to scrape your ID off of them and create a profile on you).

        But how do I hide it from the web provider I log in to? They getting too much information with this. With the usual way, I use a throw-away email address to sign-up.

        This way you can create a site-based avatar but have the same credentials globally. Also, a good OpenID consumer would provide for one-to-many mapping, so that one actual user on the site could log in with any number of credentials. That way, if your OpenID provider leaves you in the lurch (say MSFT botches up their service to discourage people from using it and uses that as justification to shut the service down) the OpenID consumer can fall back to an alternative (even its own auth scheme instead of openID).

        That's just another potential flaw.

        When you log into such an OpenID compliant site it would work similar to Ubuntu's login--you would get a prompt for your user ID, then when you submit it would go away to see what ID provider/scheme you use then forward you to the proper authentication provider's site for the password (or whatever method they use to verify your ID). The site-specific profile determines the default, or you can override the default by entering the desired OpenID instead of your "simple alias".

        You are now dependent on 2 provider's being up at the same time (unless you host your own authentication server). And this still doesn't provide any simplification like using the same ID to login everywhere (unless you login with a big long complicated on

        • And this is why a universal ID system just can't work.

          It can and it does work. The internet has a unique identifier for any given computer that is online at any given time. Yes, there is NAT and things that mean that many many machines have IPs like 192.168.1.1 but they are still uniquely addressable via the combination of IP addresses in the route to the machine (ie. the public IP used by the NAT router plus the local IP of the computer). MAC addresses and IPv6 addresses are numerous enough to uniquely identify users too. Further layers of apps/protocols/

          • by Skapare ( 16644 )

            It can and it does work. The internet has a unique identifier for any given computer that is online at any given time. Yes, there is NAT and things that mean that many many machines have IPs like 192.168.1.1 but they are still uniquely addressable via the combination of IP addresses in the route to the machine (ie. the public IP used by the NAT router plus the local IP of the computer). MAC addresses and IPv6 addresses are numerous enough to uniquely identify users too. Further layers of apps/protocols/etc make these unique identifiers more user-friendly.

            Web sites are fewer in number than there are people. So the domain names are usually adequate. People don't want to use IP addresses even with IPv4 (and will want to even less with IPv6). But even some domain names are getting unwieldy and that's with just several million of them. Scale that up to a few billion.

            You don't. You choose a trustworthy provider. for some people that means BEING YOUR OWN PROVIDER--which is technically very possible with OpenID. Why would you need to hid your own information from yourself?

            This is not a scalable solution. The problem isn't that MY OWN information might be utilized, but rather, that anyone's information might be utilized. The fix, using what OpenID has designed, w

  • I like being someone else on every website out there. Much harder to track.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...