OpenID - Open Source Single-SignOn

Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."

Hosting Servers

[NETHED]

So this is a distributed ID system, that is open source. I'm not sure that this is a good idea, but am willing to try. Hell, anything beats Passport. I think that if Slashdot adopted this (OSDN), it would attain critical mass.

Why DSA?

[gtrubetskoy]

I coincidently not long ago wrote a paper [72.14.207.104] (ggogle cache) on how to implement RSA-based signle sign-on (using Python/mod_python). Using public key signatures seems like the most obvious way of implementing SSO. I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.

I'm not a cryptographer by any means, but IIRC DSA was put together by NSA as an algorithm that was "crippled" to only do signatures, but not encryption, and there was some controversy because at first NSA wouldn't admit to being the designer, instead NIST was pretending to be one, and then later someone discovered a way to somehow leak bits and it is still a mystery whether this was intentional on the part of NSA or not.

Certain Information

[teiresias]

while it certainly would be nice to login to one spot and be logged into all my favorite websites, as a webmaster I use different information based on what part of my site the person is logging into. Their username/password might be the same for both pages but a cookie might be set on one that isn't on the other and doesn't need to be on the other or could be harmful if done.

Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.

Also the decentralized nature of the servers has me worried/confused. So if I ran one, would I have everyones authentication information?

No thanks

[Quasar1999]

I'll authenticate with each and every site I visit...

Take MS Passport for example. I log on to MSN webmessenger. I chat with some friends, then I close it down. 3 hours later I decide to log on to MSDN to grab a file, I need to log in with a different account since my messenger account doesn't have the access... fine... I do that... then a few hours later when I go to webmessenger again, I'm auto-logged on with my MSDN credentials.

The only option I have is to force all passport sites to stop caching my username/password and make me type it in everytime, thus defeating the purpose entirely.

This sort of password system is open to all sorts of problems, and not just of spoofing, or somehow being hacked and having people impersonate you... I'm more worried about logging on to some place with the wrong credentials...

Lame

[pHatidic]

How is this ID? It doesn't identify the person, nor does it even make the claim that it is a unique person. It is just the next in a line of doomed to failure solutions for the lack of Identity on the Internet. Repeat after me:

Pay me 25 dollars (iname) to get a name is not the same as identity

Register with your 'name' and 'email' (typekey) is not the same as identity

Single sign-on (passport, openID)is not the same as identity

yes but

[zxnos]

if anyone can set up a server authenticate does that mean they can access my information? or track my movements? i am thinking of abuses.

Single signiture sign-on

[0xABADC0DA]

What I want is a system where I go to a site requiring a login and it asks my browser to sign some data with my private key. During the account creation I send the server my public key and that's that -- no need for a password and the login could be done automatically using cookies or something. Then there is no need for a single sign-on provider and nobody can globally revoke my account at all sites.

You could still have an 'id provider' that could sign the data on your behalf if you are on a internet cafe for instance, but it would not be required by design. So in 'kiosk mode' the browser could just forward signiture requests to the authority after you logged into it (which could even be your home computer).

This should be pretty easy to do as a firefox plug-in.

Re:Suddenly....

[Fox_1]

I worked as an outside vendor with an internal part of novell (few 100people maybe) that built a beautiful SSO system - linux based and accessed novell software components better then the novell software. The solution was supposed to be for ASP's (application service providers - something from the bubble days) and allow them to link products from multiple vendors together so not only could it manage websites, but other network applications (even if they are hosted on someone else's network the other side of the continent like my companies). It wasn't an open product, and the day before we were to go live (even had a contract that would have made it profitable from day 1) Novell Laid Off 10,000 people across the company to save money (the bubble was just starting to burst). Among that 10K were my poor SSO friends, and of course 6 months of work on my part was wasted too.

Re:Thinking.

[smittyoneeach]

Given the amount of Microsoft, Apple, Google, and other big-name-company stories that, otherwise inexplicably, have been termed "news", and "stuff that matters", yes.

Re:Lame

[iabervon]

There is no feasible way of identifying a unique person presently. Fortunately, few entities care (one is the IRS, which wants to prevent individuals from splitting their income and lowering their tax brackets; another is law enforcement, which doesn't want people to be able to start over with a new identity).

For most things, the only thing that matters is that the site can determine that some entity that claims to have been there before is back. Identity
is about telling that things are the same, not about telling that things are different.

Why Hasn't SAML Been Adopted?

[Vagary]

For whatever reason (could someone wager a guess?) SAML has not been widely adopted (and don't try to argue this point). Maybe this will rectify whatever deficiency SAML has? Or maybe the project is just to create a widely-usable SAML authentication authority?

Single Sign-on like Passport is a lame idea.

[MikeFM]

Why don't we just use a single password entered by the user (once per session or once per browser..depending how it's saved) to generate tokens unique to each site a user browses to. Pass those tokens to the site automaticlly as part of the http headers. No need to ever send any login data through a third-party. No need for any complexity on the part of the end-user or website designers. Just a small bit of extra code added to the browser and webserver (optionally). Firefox and Apache could do this easily enough.

Heck you could have the browser send these unique user and password tokens automaticlly whenever the website asks for http auth. Nothing would even need to change on the server side. Just a small change to the browser. The chances of two users both having the same username and password aren't that high unless they pick something really easy to guess anyway like a name and password they see in a movie.

Digital Certificates

[infohord]

We have this already, it is called digital certificates. I get one digital certificate that identifies me and I use it on multiple sites. Now if more sites just supported authentication by digital certificate, a process supported on all web servers already then we would be done. Why do so few webmasters understand digital cerficates? Do we expect them to understand this any better?

There is a better system...

[Timothy1965]

There was a recent paper [cornell.edu] at IPTPS on this problem last year.

I RTFA'd and OpenID relies on a single host as an authenticator, just like Passport. Sure, you can have many single host authenticators with OpenID (whereas there can only be one with Passport), but at the end of the day, your credentials are only as strong as the security of that one box. Remember all the problems that Microsoft had with authenticating and authorizing Hotmail users? Single hosts make inadequate authenticators. The CorSSO folks fix that problem using threshold cryptography - in CorSSO, an attacker has to compromise a group of different hosts all at the same time to usurp someone's identity, which can be made much harder than compromising a single host in OpenID.

Bad Idea - People are click-happy

[MooseGuy529]

From the sound of this, you log in to one site (your homesite) with your real username and password, and after that it uses digital signatures and a list of trusted sites to prove to that site that you are the owner of the URL.

I see several problems with this, one of them being specifically that it doesn't require a password everywhere you login. I know the point of single sign-on is to have one username and password for everything. However, think about your average user: when prompted with a dialog box asking "Would you like to trust this site?" or "Would you like to install our malicious software?", they have an uncanny habit of clicking "Yes" without thinking. I think this will become a problem as well--people authorizing any site just because it asks, and not realizing what it means in the end. Requiring password entry and making the requesting site very clear would make it much easier for users to know what they are doing.

Re:Single signiture sign-on

[Erwin-42]

Denmark (!) has this feature. As a Danish citizen, I have acquired a SSL client-side certificate which I've installed into my browser. It is protected by a master password of course, but using it I can go to any site (mostly governmental services but also e.g. my cell phone provider lets me log in with it so I can check my cell phone logs or buy talk time) and be securely logged in, or use it to sign my email with a key verified by a government-sponsored organisation.

If permitted sites can access your information such as address or the Danish equivalent of SSN, but other sites can simply attach your signature to an account so you only have to remember your one master password.

The digital signature can also be used to enter a binding contract via the Internet, though I don't really know which sites use this feature.

One of the governmental services includes a site where bills, bank statements and official documents such as those from the tax office sent to me are stored as PDF files. All bills I get are paid electronically of course, but now a company can sign up for this service where such documents are stored on a server accessible to you as PDF files from anywhere.

There are other, simpler systems: LID, for example

[jernst]

LID -- Light-Weight Digital Identity -- is an entirely decentralized digital identity system that uses URLs as identifiers. Yes, you can host your own. It's so simple, the average Slashdot hacker can probably implement from scratch in an afternoon, and it supports SSO, VCard-based contact management, FOAF-based social networking, authenticated messaging and many other applications.

http://lid.netmesh.org/ [netmesh.org]

Disclaimer: I'm one of the people who came up with it. I also talk about it and other systems on my blog at http://netmesh.info/jernst [netmesh.info].

OpenPGP *is* my identity

[bwbadger]

I'd like to see an authentication system that used OpenPGP keys.

e.g. I go to the bank with my photo ID and my OpenPGP key fingerprint and say "this is my key".

When I want to autenticate with the bank, they use my public key (which they can get from a key server) to encrypt a secret and send it to me. I demonstrate I have the private key and know the pass phrase by decrypting the cypher and extracting the secret ... more hand-shake stuff and ...

... authenticated!

I don't need the bank to know my password, and I can have one password for everywhere that uses this OpenPGP based approach.

I can't imagine a Kerberos (or Kerberos-like) single sign-on mechanism would be a huge step (relatively speaking) from this point.

V-ID already does a simple version of this

[majestiq]

check out V-ID [v-id.org]. They have an free to use single signon system running right now.

RealOpenID

[Doc Ruby]

If this open, secure, distributed authentication scheme works, maybe it could be used to achieve the US RealID program's (stated) goals. I especially like the idea of allowing an authentication request only a boolean, rather than caching any associated info. Until such a system works, the US shouldn't create a monster that doesn't. Real world test iterations of OpenID might get us there.