Slashdot Log In
Microsoft Joins the OpenID Foundation
Posted by
CmdrTaco
on Wed Oct 29, 2008 10:26 AM
from the embrace-and-extend dept.
from the embrace-and-extend dept.
wertigon writes "Windows Live ID just became yet another OpenID-provider. While the cynical me wonders how long it'll be before Microsoft transforms OpenID to something proprietary, they have undoubtedly put even more weight behind the OpenID initiative. So, how long before I can use my OpenID to post on Slashdot?" Patches are always welcome, wertigon ;)
Related Stories
[+]
Technology: MySpace Joins OpenID Coalition 272 comments
the4thdimension writes "MySpace has joined a coalition of other big-name e-services in support of OpenID. If you aren't familiar with the OpenID coalition, they are a group that seeks to allow users to create a single account/password set to be used on a number of services. Such services already signed up include: Google's Blogger, Wordpress, AOL, Yahoo, Vox, LiveJournal, and others."
Reader gbjbaanb adds a link to the BBC's coverage and points out that MySpace's 100 million users would mean nearly a doubling of the approximately 120 million OpenID accounts now in use, writing: "Initially support is to use MySpace OpenIDs as providers only — i.e. you cannot logon to MySpace with an OpenID created elsewhere, but that policy will change in the future. This should help to make OpenID the de-facto login mechanism for the Internet, now if only Microsoft would support it, there are plenty OSS OpenID libraries available."
[+]
Technology: Google Adopts, Forks OpenID 1.0 316 comments
An anonymous reader writes "Right on the heels of Microsoft's adoption of the OpenID protocol by announcing their intention to enable OpenID authentication against all Live IDs, Google has announced their intention to join the growing list of OpenID authentication providers. Except it turns out they're using their own version of OpenID that is incompatible with everyone else. It seems that Google will be using their own 'improved' version of OpenID (based upon research and user feedback of the OpenID system) which isn't backwards compatible with OpenID 1.0/2.0, in hopes of improving end-user experience at the cost of protocol compatibility and complexity."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Color Me Confused (Score:5, Informative)
Microsoft Joins the OpenID Foundation
What a joke.
Windows Live ID just became yet another OpenID-provider.
True.
they have undoubtedly put even more weight behind the OpenID initiative.
False.
So, how long before I can use my OpenID to post on Slashdot?
Oh poor poor wertigon. You won't even be able to log into MS Live with it. I can go to wordpress, verisign, aol and all that jazz and login with my OpenID. I can go to sites listed as OpenID and login when I've never even been there before. Yet, when I go to the page that Microsoft lists for Live, I can't. Why is this? Because they're only providing IDs, not accepting other OpenIDs.
You will soon be able to use your Windows Live ID account to sign in to any OpenID Web site!
That's it. That's all you get. No future plans are listed to accept OpenID accounts either.
OpenID's mission is to have one single login for every single website out there. So far, it was doing great. Now, I want to check my hotmail with my (pre-existing) OpenID. No luck. Unless you start at Windows Live and move to the rest of the OpenID sites, you are no closer to achieving OpenID's goal and vision. This is a ridiculous mangling of a great idea.
When Microsoft fully supports it--when they both accept and provide IDs--that's when I'll agree with this headline. Microsoft should be implementing a way to associate your Live ID with your OpenID and use your OpenID to login to Live. But they aren't & I doubt they ever will.
Re:Color Me Confused (Score:4, Insightful)
This is still a useful development. I can now allow MSN Messenger using friends to read my friends-only livejournal posts without having to ask them to sign up for LiveJournal or OpenID (which most people outside of geekdom will not have heard of)
Parent
Re:Color Me Confused (Score:5, Insightful)
Exactly, and this half-functionality is why this move undermines OpenID and what it stands for.
You see, OpenID still works, but it works *better* if you use Microsoft's version. Soon enough you'll find that everyone's reaching for those MS ids just to remain compatible, and MS will get what they couldn't with their Passport scheme, or LiveId or however it's called these days.
It's the same embrace, extend, extinguish bullshit again, and in my opinion, the community should just reject these MS-provided ids until they learn to play ball.
Parent
Re:Color Me Confused (Score:5, Insightful)
I just don't get the point of this. I go to a website and there's a little note *You can use your openid here!* and I sign in with it. but wait! it was a trick, they grabbed my username and password, now they have my openid login.
Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.
Parent
Re:Color Me Confused (Score:4, Informative)
This question is one that appears to not yet have been raised in the OpenID security discussion [openid.net]. In these times of phishing [marcoslot.net] attacks [danga.com] on OpenID [itweek.co.uk] this should bear heavy on the mind.
For more information, this article [wikipedia.org] is a good jumping off point.
Parent
Re:Color Me Confused (Score:5, Insightful)
So once most people start to use OpenID, then all governments have to do, is pass a law, to either requiring them to know your OpenID, or for them get your OpenID by any other means, and then that's all they need, to workout everything you have ever said online. OpenID is one step away from removing most anonymity on the Internet. This news fits in with the other Slashdot news today, about the Internet Human Rights PR smoke screen...
http://it.slashdot.org/comments.pl?sid=1011555&cid=25554573 [slashdot.org]
Plus as people in power always seek power, then what they fear most, is the loss of power. So to them, finding out what people are saying is very important. (I.e. Knowledge is power). So one of the first things the some of the ones in power will do, is use widespead usage of OpenID to allow them to finding out every political view people post about them online.
To big businesses and governments, OpenID isn't about convience of easy logins. OpenID to them, is about data mining and so it makes sense Microsoft would want to play along with that goal.
Parent
Re:Color Me Confused (Score:5, Informative)
There's no accredation. Login occurs by redirecting you back to your provider. You log in, or the provider establishes you're already logged in by means of cookies. Then your provider redirects you back, saying "yep, he's the holder of that openID".
At no point does the accepting site get your user name and password. You can verify this by looking at your address bar. If you're still at the accepting site and they ask you for your user name and password, they're either doing it wrong or you're being phished.
Parent
Re:Color Me Confused (Score:4, Insightful)
"At no point does the accepting site get your user name and password. You can verify this by looking at your address bar."
I bet I could get thousands of user name/password combos be putting up a web page that simply asked users to enter their user name and password. They call this "phishing". It would work.
Using any kind of login that is shared over multiple places is always not-secure. Best practice is to compartmentalize potential damage. So that if some one figures out my password for (say) this website they can't then get into my bacnk account and email. If common logins do become popular then "phishing" will become very popular.
Parent
Re:Color Me Confused (Score:5, Informative)
So, yes, the number of logins you have should be more than one, but does not have to be as large as the number of sites you visit.
But, to explain how OpenID, LiveID, and all such systems work without the site requesting the authentication requiring the authenticating credentials, it's like this:
1) You authenticate with the authentication site. You get back a magic number, or some similar credential.
2) You present this credential to the site that requests your authentication.
3) It contacts the authentcation site with it, (perhaps authenticating itself too using means like a client cert), provides the credentials you supplied, and gets back all sorts of nifty metadata about you.
Your credentials expire after some amount of time.
LiveID works like this for all Microsoft and Microsoft-partnered sites. And the same for OpenID.
The issue with having Microsoft accepting OpenIDs (besides the obvious econo-political one) is likely the nature of the metadata being different between what OpenID provides and what LiveID provides (unless OpenID supports the notion of arbitrary metadata per site requesting authentication, and so could support the LiveID metadata format).
Parent
OpenID and phishing (Score:4, Interesting)
This won't solve the problem but the OpenID Community Wiki has a page documenting different ways in which phishing might occur [openid.net], a well as a collection of recommendations.
Probably in the long term, assuming OpenID becomes popular, it might come down to browser makers to specifically recognise OpenID, and do things like let the user specify who their OpenID provider is so that it can make it really obvious when the user's logging into the correct place. eg. If the browser doesn't start flashing its borders bright pink when the user visits their claimid.com login page, the user might suspect that they're giving their credentials to the wrong website.
Parent
Re:Color Me Confused (Score:4, Informative)
Um, duh - the way to know if you're being phished is checking the URL and the site you're on.
With OpenID, you will never have to enter your password on any site but that of the OpenID provider. If the site you want to access asks you for your OpenID password, you're being scammed.
Parent
Re:Color Me Confused (Score:5, Informative)
Unless I've missed the point somehow and there's some way to know if the site you're on is accredited.
You have indeed missed the point, and even more than you think. You don't enter your OpenID password on the site you're authenticating to, at all. Ever. You just enter your OpenID username, and it redirects you to your actual OpenID provider, and there you enter your password (or, even better, use the SSL certificate installed in your browser, or your Kerberos credentials, or similar) to authenticate to it. It then redirects you back to the actual site with a cryptographic cookie that verifies your identity.
If you're worried about phishing, that's a very different issue. Certainly a real one, though, but not anything you wouldn't be subjected to anyway. And, if you authenticate with something like an SSL certificate, it won't be a problem anyway.
Parent
Re:Color Me Confused (Score:5, Informative)
Parent
Re:Color Me Confused (Score:5, Informative)
Parent
Tinfoil Hat (Score:3, Insightful)
So how long before governments require OpenID to eliminate internet anonymity?
Re:Tinfoil Hat (Score:5, Interesting)
Wikipedia:
Parent
Re:Tinfoil Hat (Score:5, Informative)
It promotes anonymity by allowing services to operate that require associating the initiator of one action with the initiator of a prior action, without requiring the "meatspace" identity of either. That is, it provides a reasonable means for a subscription-based service to verify "the person accessing this resource is the one that established this account" without ever identifying who the person is that established the account.
Since many services rely on providing that kind of relation between the person establishing an account a person requesting a resource, it promotes anonymity to provide a means that allows those services to fill that need while users remain anonymous.
Parent
It's a trick. Get an axe (Score:4, Funny)
Yeah. You are welcome to write a patch. That doesn't mean Taco will even use it. Don't let his comment mislead you.
OpenID Concept still has issues. (Score:3, Interesting)
It might be okay for joe-shmoe consumer, but there are still common-sense issues standing in the way.
First and foremost is the dead-simple notion, "You mean I'm going to trust a single source for EVERY password for every site I go to? No thanks! I've had my identity stolen already."
If I was in charge of the Right Brigade, I would change the nexus from some server-in-the-sky to your PC storing/providing authentication. I know that's crazy-talk, being responsible for your own identity and everything. Just call me old-fashioned.
Misleading summary. (Score:4, Insightful)
You don't have to join the OpenID foundation to become an OpenID provider. Funnily enough Microsoft did join; but in Feburary [microsoft.com].
But as I ranted [idunno.org] on my blog, becoming a provider is useless these days; allowing authentication using OpenID would be far more impressive.
Provider only? (Score:5, Informative)
As far as I can tell, Microsoft is only going to be an OpenID Provider and not a Relaying Party. That is, you can use your MS ID elsewhere but you can't use your existing ID on MS Live.
This seems to be pretty typical of companies adopting OpenID. Lately, quite a few companies have trumpeted their OpenID support... yet in almost all cases, it has been as a Provider only. Yahoo is the notable exception of a large OpenID provider that is also a relaying party (consumer).
So this has resulted in a world where everybody wants to provide an ID but nobody wants to accept them. The goal is that I could create an ID on my own website (as an OpenID provider) and use that ID to log into Google and Yahoo and MS Live and the rest without having to create a separate user on all of them. The reality is that since nearly all of them are only providers, I would still have to create a ton of separate users.
Microsoft is not an OpenID Relying Party (Score:5, Informative)
Nice to see that the "kinder, gentler" post-Gates Microsoft is just as ruthless and selfish as ever.
Ask yourself this question: if you have a single sign-on for the web, who would you want managing it for you? For us geeks out there, the answer is simple: run your own identity server. [openid.net] No one controls it but you. For non-geeks
The cynical me (Score:3, Insightful)
The cynical me wonders when the Open Source community will abandon the OpenID standard now that Microsoft has committed to it.
Whoooops... (Score:4, Funny)
Ok, remind me never to submit news stories while dead tired. You tend to miss quite a few things (like making sure the bloody headline is completely wrong; what I meant to say was "Microsoft joins the OpenID *Fray*").
Nice getting pwned by Slashdot. I love you too guys!
Re:Someone Want to Tell Me (Score:4, Interesting)
This is something the user wants?
I certainly have no interest in having people be able to associate my account on suicidegirls to my facebook account to my msn messenger account...
(i don't really have a suicidegirls acc, i'm just using that as an example)
Parent