The Case for OpenID 229
An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."
so it will be OpenID to bind them (Score:1, Interesting)
one password to root them all !
all these integrated ID schemes (MS passport etc) are good in theory but for a vital flaw, the bad guys only need to get your single password and from then on they have access to _all_ your "openID" websites
much better to have multiple passwords however hard it may be to remember them
OpenID is great in theory (Score:4, Interesting)
The problem though is that OpenID is currently just a framework. There is no way to prevent people from making 100 accounts, which is still the problem. Once we have a way of making sure each person only has one account, even if we don't know who that person is and can't identify them in any way, then and only then will social software be able to break through this quality barrier that it is currently capped it. I wrote about one way of doing this here [alexkrupp.com], and there are other ways. Hopefully within the next ten years we can have this problem solved, to enable the next generation of web apps that aren't even possible today.
Re:No way! (Score:5, Interesting)
There's been discussion of OpenID providers offering aliases, so you could have a number of distinct "IDs" you mix-and-match with, but they're all validated by an OpenID provider. I don't think the spec says one way or another regarding this; it would be a feature of whichever OpenID provider you used for your identity.
Re:No way! (Score:5, Interesting)
The second point is that nobody's holding a gun to your head and forcing you to use it. If you don't like it, just create a new password for each site anyway. It doesn't prevent that.
(Sidenote: Stop requiring registration for moronic things! I don't want to give you any personal information to post in a damned blog!)
(Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)
Re:No way! (OK, Setup several IDs) (Score:1, Interesting)
This will never fly.
Re:No way! (Score:1, Interesting)
The problem is, it won't be only sites you don't care about using it. And where it'll start of as being offered in addition, once it'll have enough users, it's very conceivable that it'll be the only option. Do you really want your registration for eBay, Amazon, the communist party website, your Christian youth club forum and this bondage fetish site that you frequent to be tied together?
I might be a technology enthusiast, but I'm a lot more enthusiastic about having - and keeping - some privacy. I'm not ashamed of anything I do, but I also know that "live and let live" isn't really human nature. Just because technology makes something possible doesn't mean it's a good idea to actually do it.
Re:No way! (Score:4, Interesting)
Then try an approach that I've found incredibly useful... use generated site passwords along with address extensions!
First, for passwords, you only need to remember *1* and have the following javascript (which runs client side) from this most excellent site:
GenPass. [zarate.org]
Next, look into using address extensions (ala what are available via postfix) and define unique addresses per each site you visit (most that I visit have adopted the email address as the username).
For those not familiar with address extensions, you get a base user id within your email system that you're allowed to dynamically apply an extension to and it'll still get delivered to your base box. So, if you're "sam@abc.com" with an extension, the address "sam+slashdot@abs.com" will still deliver to your base mailbox.
Then it is trivial to figure out which site leaked your address for spam as well as start blocking a particular address (either by using procmail or a combination of postfix with an SMTP proxy such as smtpprox. [latency.net]
And while we need to tech savvy of the world setting up the mailserver side of things for our less tech-interested friends (I've done this for friends and family and host mail for them), it simplifies by effectively making it easier to manage multiple identities instead of depending on a bastion one.
Fundamental issues in identity. (Score:2, Interesting)
A number of other posts have alluded to 'whats the problem with identity'. In the FWIW department a summary of the important issues from someone who has spent a long time working in the field:
1.) There is no standardized method for defining identity.
2.) Services of value impose the Reciprocal Identity Management (RIM) problem.
With respect to point 1, is your identity?
mdoe
112233
Mary Doe
mdoe@SOMETHING.ORG
http://www.something.org/mary_doe
All of the above 'representational identities' are very useful in different contexts. None of them are your identity. For better or worse your identity is ultimately a token, lets call it an 'intrinsic identity', which has a fiduciary or contractual value associated with it by a third party.
Examples of intrinsic identities are things like social security numbers, credit card numbers, employee identification numbers, visa numbers etc. Such tokens are extremely useful in information technology since they serve as unique and definable 'keys' for who someone is. They are also extremely dangerous since possession of these tokens allow the implementation of an identity.
Systems such as OpenID, Shibboleth, Liberty Alliance and a bunch of OASIS standards seek to solve the problem of 'identity assertion'. While useful in and of themselves they don't provide a fundamental definition for identity.
Federated identity systems solve a very useful and important problem but impose problem number 2 which is the RIM problem. If the service being vended has any value a system for authorizing access to it must be in place. If the identity assertion comes from an external site the accepting site needs to instantiate or manage the identity in order to regulate the use of the service by the requesting identity. One class of problem is addressed but a second and equally important problem still exists.
In the case of the 'real world' - blog and social networking sites notwithstanding, where one organization is asserting identity for the actions of one of its employees there is a need for the identity asserting site to regulate the actions of the identity on the remote site as well. The management problem becomes quickly apparent if there are hundreds of partners in a federated identity environment.
Getting the right answer to the identity definition question is actually very useful. A number of very important issues in information delivery tend to 'fall out' when the question gets answered properly. Unfortunately the field of identity theory is abstract, poorly defined, difficult to understand and laden with socio-political and privacy issues.
As is typical with most problems the low hanging fruit gets picked first. Various schemes such as OpenID for attacking the identity assertion problem are emblematic of those types of effort.
Re:Overly complicated (Score:3, Interesting)
Hash: SHA1
Indeed. OpenID also seems too unreliable. What's to say the server my blog is on won't get hacked again? What's to keep the crackers from using that to forge my identity? There's no signing mechanism, no challenge/response, and it doesn't even bother to protect my "identification" from interception or duplication! All it does is prove that I have access to the blog I linked to.
What I want is a complete solution that allows me to protect my identification by a strong encryption schema and use that everywhere - maybe have a Firefox extension (or a user.js in Opera) that handles the legwork for me. I don't know, it probably doesn't exist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFdbVCi1yS1BuzIvgRAnMxAJ9qG+
jj6A/Oyo3ez/9QGuwL
=IaLD
-----END PGP SIGNATURE-----