OpenID - Open Source Single-SignOn 209
Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."
Re:Certain Information (Score:4, Informative)
Of course, if a central signon system doesn't work for you, then don't use it.
Re:will this work? (Score:3, Informative)
Single Signon. It is a Set Of Single Signons. You can have as many identities as you want. The difference is that without something like this, you are forced to have one identity per site, or one Passport ID. With an openID implementation, you can have any number of accounts as fit your needs. One potentially useful scheme is to have one signon for blogs and news sites, and then individual identities for each bank/etc.
LID (Score:2, Informative)
Why not just use Shibboleth and Pubcookie? (Score:1, Informative)
Re:Bad idea (Score:3, Informative)
Re:Single signiture sign-on (Score:2, Informative)
I am a cryptographer, and this isn't so. (Score:4, Informative)
When you say "leaking bits", you're probably thinking of subliminal channels, and you're referring to some rather out-of-date information in Applied Cryptography. It's now established that all secure signature schemes have subliminal channels; they have to be probabalistic for the security proofs to work, and that's enough to give a "low-bandwidth" channel for anyone who doesn't know the signing key, or a "high-bandwidth" chanel for those who do.
DSA is a perfectly good choice here.
Re:How is it going to stay "single" (Score:3, Informative)
So basically, if you're logging onto the web site where you are registered, it simply makes a local call to a local database. if you provide an ID registered at another server, instead of the webserver looking in its local database of IDs, it asks the remote server if it knows the user. That way the user doesn't have to register with your site, too.
Wow. (Score:3, Informative)
Re:Why Hasn't SAML Been Adopted? (Score:3, Informative)
SAML has been widely adopted, just not in the use case you're imagining. For B2B scenarios it is actually taking off quite well, and the US federal government is standardizing on it. [cio.gov]
Now, it hasn't caught on in the world of consumer focused web sites, which is understandable given the architecture - no consumer authenticates at an authority before accessing sites, so it only makes sense for co-ordination between business partners who are providing services to the same users right now. Until a commercial site becomes an identity authority accepted by most consumer sites this will continue to be true. LiveJournal could have attempted to become this authority using existing standards far more easily than tackling the creation of new protocols and implementation platforms at the same time they try to build the business structure. But like most of us, they appear eager to reinvent the wheel.
I find it interesting though that on the one hand every techy's complaint about Passport et al was the monopolistic, centralized model, with all the very appropriate concerns about putting your eggs in one basket - and then when a decentralized model comes along, people wonder why it only catches on in small pockets. What exactly did you think decentralized meant? If you truly want a global SSO mechanism then you are asking for an identity monopoly. If you want different identity providers, you are going to have to deal with trust issues from each provider to whichever resources you want to access. This is a business problem, not a techical one. The standards and technologies to implement whatever world we want to create are there, we just need to figure out what we are really asking for.
Another protocol, OSS needs a mechanism. (Score:2, Informative)
Globus/GRID, Shibboleth, PubCookie, LID and a legion of others are already implementing mechanisms for making assertions about an identity. The fundamental problem with implementing any of these technologies are the back-end systems for implementing and protecting identity and a manageable system for tracking differential acesss (authorization) at a high level of granularity.
The Open-Source community is currently lacking any respectable effort in this arena. All the basic pieces are there with LDAP, Kerberos, SAML and a host of other technologies. What is required is a coherent framework which implements all these technologies in a manageable package of infra-structure. It will be where the real war for control of information delivery gets won or lost for OSS technologies over the remainder of the decade.
As I noted in the first paragraph what is fundamentally lacking across the spectrum, commercial or otherwise, is a fundamental definition of identity. Its interesting to see that a couple of other posters have noted this as well. Our Hurderos Project is trying to address that with an OSS solution in an attempt to turn the tide of everyone inventing their own solution.
Getting that type of basic infra-structure laid down is key to unlocking an entirely new generation of application and information delivery architectures. It is also fundamental to addressing the intrinsic problem with federated or distributed identity systems which is the very real and very thorny problem of target sites asserting authorization over remotely authenticated identities.
In the brave new world of highly distributed information delivery systems with a mobile consumption (client) base the only important thing is 'who you are and what do you have access rights to'. He who controls that will control everything.
Re:Certain Information (Score:3, Informative)
I'm one of the authors of CoSign [weblogin.org], which is a "traditional" Web Single Sign-on system. Really, SSO is explicitly not very useful in a small environment. SSOs are particularly useful in medium to large enterprise environments, primarily because identity needs to be tracked across many different application -- for provisioning, auditing, authorization, etc. An SSO reduces the security exposure in this environment, because the user's credentials are only used during initial sign-on, and not presented to each service.
OpenID's goals are somewhat similar, in that a form of the user's ID is made available to visited servers, without exposing information that might be important to the user. OpenID could be a big hit on the Internet if sites like GMail, Hotmail, and other enterprise environments that do strong authentication were to act as OpenID "homesites". Obviously, GMail isn't going to trust Livejournal to grant a user access to their mail. But LJ might trust GMail for a user to leave a comment.
Re:Why DSA? (Score:3, Informative)
As a professional cryptographer I certainly don't think that DSA is in any way inferior for the task in hand. It is however superior in one significant way: if you use a 1024 bit key then the RSA signature is 1024 bits, which takes 171 bytes to base64 code, while the DSA signature only takes up 54 bytes.