OpenID - Open Source Single-SignOn 209
Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."
Hosting Servers (Score:3, Interesting)
Why DSA? (Score:5, Interesting)
I coincidently not long ago wrote a paper [72.14.207.104] (ggogle cache) on how to implement RSA-based signle sign-on (using Python/mod_python). Using public key signatures seems like the most obvious way of implementing SSO. I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.
I'm not a cryptographer by any means, but IIRC DSA was put together by NSA as an algorithm that was "crippled" to only do signatures, but not encryption, and there was some controversy because at first NSA wouldn't admit to being the designer, instead NIST was pretending to be one, and then later someone discovered a way to somehow leak bits and it is still a mystery whether this was intentional on the part of NSA or not.
Certain Information (Score:4, Interesting)
Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.
Also the decentralized nature of the servers has me worried/confused. So if I ran one, would I have everyones authentication information?
No thanks (Score:4, Interesting)
Take MS Passport for example. I log on to MSN webmessenger. I chat with some friends, then I close it down. 3 hours later I decide to log on to MSDN to grab a file, I need to log in with a different account since my messenger account doesn't have the access... fine... I do that... then a few hours later when I go to webmessenger again, I'm auto-logged on with my MSDN credentials.
The only option I have is to force all passport sites to stop caching my username/password and make me type it in everytime, thus defeating the purpose entirely.
This sort of password system is open to all sorts of problems, and not just of spoofing, or somehow being hacked and having people impersonate you... I'm more worried about logging on to some place with the wrong credentials...
Lame (Score:2, Interesting)
Pay me 25 dollars (iname) to get a name is not the same as identity
Register with your 'name' and 'email' (typekey) is not the same as identity
Single sign-on (passport, openID)is not the same as identity
yes but (Score:2, Interesting)
Single signiture sign-on (Score:4, Interesting)
You could still have an 'id provider' that could sign the data on your behalf if you are on a internet cafe for instance, but it would not be required by design. So in 'kiosk mode' the browser could just forward signiture requests to the authority after you logged into it (which could even be your home computer).
This should be pretty easy to do as a firefox plug-in.
Re:Suddenly.... (Score:3, Interesting)
Re:Thinking. (Score:3, Interesting)
Re:Lame (Score:3, Interesting)
For most things, the only thing that matters is that the site can determine that some entity that claims to have been there before is back. Identity
is about telling that things are the same, not about telling that things are different.
Why Hasn't SAML Been Adopted? (Score:3, Interesting)
Single Sign-on like Passport is a lame idea. (Score:3, Interesting)
Heck you could have the browser send these unique user and password tokens automaticlly whenever the website asks for http auth. Nothing would even need to change on the server side. Just a small change to the browser. The chances of two users both having the same username and password aren't that high unless they pick something really easy to guess anyway like a name and password they see in a movie.
Digital Certificates (Score:2, Interesting)
There is a better system... (Score:2, Interesting)
I RTFA'd and OpenID relies on a single host as an authenticator, just like Passport. Sure, you can have many single host authenticators with OpenID (whereas there can only be one with Passport), but at the end of the day, your credentials are only as strong as the security of that one box. Remember all the problems that Microsoft had with authenticating and authorizing Hotmail users? Single hosts make inadequate authenticators. The CorSSO folks fix that problem using threshold cryptography - in CorSSO, an attacker has to compromise a group of different hosts all at the same time to usurp someone's identity, which can be made much harder than compromising a single host in OpenID.
Bad Idea - People are click-happy (Score:3, Interesting)
From the sound of this, you log in to one site (your homesite) with your real username and password, and after that it uses digital signatures and a list of trusted sites to prove to that site that you are the owner of the URL.
I see several problems with this, one of them being specifically that it doesn't require a password everywhere you login. I know the point of single sign-on is to have one username and password for everything. However, think about your average user: when prompted with a dialog box asking "Would you like to trust this site?" or "Would you like to install our malicious software?", they have an uncanny habit of clicking "Yes" without thinking. I think this will become a problem as well--people authorizing any site just because it asks, and not realizing what it means in the end. Requiring password entry and making the requesting site very clear would make it much easier for users to know what they are doing.
Re:Single signiture sign-on (Score:2, Interesting)
If permitted sites can access your information such as address or the Danish equivalent of SSN, but other sites can simply attach your signature to an account so you only have to remember your one master password.
The digital signature can also be used to enter a binding contract via the Internet, though I don't really know which sites use this feature.
One of the governmental services includes a site where bills, bank statements and official documents such as those from the tax office sent to me are stored as PDF files. All bills I get are paid electronically of course, but now a company can sign up for this service where such documents are stored on a server accessible to you as PDF files from anywhere.
There are other, simpler systems: LID, for example (Score:2, Interesting)
LID -- Light-Weight Digital Identity -- is an entirely decentralized digital identity system that uses URLs as identifiers. Yes, you can host your own. It's so simple, the average Slashdot hacker can probably implement from scratch in an afternoon, and it supports SSO, VCard-based contact management, FOAF-based social networking, authenticated messaging and many other applications.
http://lid.netmesh.org/ [netmesh.org]
Disclaimer: I'm one of the people who came up with it. I also talk about it and other systems on my blog at http://netmesh.info/jernst [netmesh.info].
OpenPGP *is* my identity (Score:2, Interesting)
I'd like to see an authentication system that used OpenPGP keys.
e.g. I go to the bank with my photo ID and my OpenPGP key fingerprint and say "this is my key".
When I want to autenticate with the bank, they use my public key (which they can get from a key server) to encrypt a secret and send it to me. I demonstrate I have the private key and know the pass phrase by decrypting the cypher and extracting the secret ... more hand-shake stuff and ...
... authenticated!
I don't need the bank to know my password, and I can have one password for everywhere that uses this OpenPGP based approach.
I can't imagine a Kerberos (or Kerberos-like) single sign-on mechanism would be a huge step (relatively speaking) from this point.
V-ID already does a simple version of this (Score:2, Interesting)
RealOpenID (Score:3, Interesting)