Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenID - Open Source Single-SignOn

Zonk posted more than 8 years ago | from the throwing-your-name-around dept.

The Internet 209

Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."

cancel ×

209 comments

Sorry! There are no comments related to the filter you selected.

Hosting Servers (2, Interesting)

NETHED (258016) | more than 8 years ago | (#12579708)

So this is a distributed ID system, that is open source. I'm not sure that this is a good idea, but am willing to try. Hell, anything beats Passport. I think that if Slashdot adopted this (OSDN), it would attain critical mass.

Re:Hosting Servers (1)

oKtosiTe (793555) | more than 8 years ago | (#12579835)

Something similar is already available in Drupal based web-sites. You only require one single account for different web-sites.
The downside being, you still have to log in on each site individually.

Thinking. (-1, Troll)

Anonymous Coward | more than 8 years ago | (#12579856)

I think that if Slashdot adopted this (OSDN), it would attain critical mass.

I think you're delusional. You've actually bought into the fantasy that Slashdot and OSTG (no longer OSDN in order to avoid criminal charges) have any sway outside of blog space?

Re:Thinking. (2, Interesting)

smitty_one_each (243267) | more than 8 years ago | (#12579976)

Given the amount of Microsoft, Apple, Google, and other big-name-company stories that, otherwise inexplicably, have been termed "news", and "stuff that matters", yes.

Re:Hosting Servers (3, Insightful)

Turn-X Alphonse (789240) | more than 8 years ago | (#12580113)

you forget something.

Slashdot maybe large but live journal's user base (myself included) is also very large. Most of them are idiots (AKA teen girls) so they would instantly start using it and think it was a great idea to only need to sign onto one site ever.

If "average whiney girl mark 3" thinks it's a good idea she will tell her friends and it'll spread like wild fire through the mass market. The geeks can't control this only choose if we listen to the cries or get snowed under with them if this happens.

Teen Girls (0)

Anonymous Coward | more than 8 years ago | (#12580171)

idiots (AKA teen girls)

You just sent LiveJournal's membership higher than that of AOL.

Gotta run. Gotta get over to LiveJournal and sign up!

Re:Hosting Servers (1)

jamie (78724) | more than 8 years ago | (#12580231)

We'll definitely give it a serious look!

Yeah, Slashdot might help raise awareness in the geek community, but as far as general "critical mass" goes, LJ has zillions [livejournal.com] more active logged-in users than we do :)

Re:Hosting Servers (4, Insightful)

soupdevil (587476) | more than 8 years ago | (#12580448)

But Slashdot readers are more likely to manage their own sites which would be candidates for using Open ID, which makes Slashdot potentially more valuable.

Re:Hosting Servers (3, Insightful)

Nos. (179609) | more than 8 years ago | (#12580513)

And this is the important point. For some reason, users of web services don't typically demand features like consumers do in other markets, at least not to the same degree. New features usually are first designed by site/owners/programmers/designers/masters/etc and then copied by countless other sites.

So, having a large population of readers that also maintain or run sites see and believe in an open system like this is probably more important than the user base knowing about it. Lets face it, if everyone on /. started incorporating this technology into their sites and mentioned it on other sites that are maybe more targetted, this could take off faster than anyone expected. Imagine if slashcode, post/php-nuke (and all the other OSS CMS systems), etc started putting in modules for this. Microsoft passport would become nothing but a memory very quickly.

Re:Hosting Servers (0, Flamebait)

grazzy (56382) | more than 8 years ago | (#12580454)

The link in your signature might be the absolutly lamest thing ever. Congratulations.

Why DSA? (4, Interesting)

gtrubetskoy (734033) | more than 8 years ago | (#12579711)


I coincidently not long ago wrote a paper [72.14.207.104] (ggogle cache) on how to implement RSA-based signle sign-on (using Python/mod_python). Using public key signatures seems like the most obvious way of implementing SSO. I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.

I'm not a cryptographer by any means, but IIRC DSA was put together by NSA as an algorithm that was "crippled" to only do signatures, but not encryption, and there was some controversy because at first NSA wouldn't admit to being the designer, instead NIST was pretending to be one, and then later someone discovered a way to somehow leak bits and it is still a mystery whether this was intentional on the part of NSA or not.

I am a cryptographer, and this isn't so. (3, Informative)

Paul Crowley (837) | more than 8 years ago | (#12580506)

I don't think RSA is overall more trusted than DSA, and I certainly don't see a way in which it's more flexible for this application. It was designed only to do signatures, but that's fine, since only signatures are needed here.

When you say "leaking bits", you're probably thinking of subliminal channels, and you're referring to some rather out-of-date information in Applied Cryptography. It's now established that all secure signature schemes have subliminal channels; they have to be probabalistic for the security proofs to work, and that's enough to give a "low-bandwidth" channel for anyone who doesn't know the signing key, or a "high-bandwidth" chanel for those who do.

DSA is a perfectly good choice here.

Open (5, Funny)

callqcmd (868085) | more than 8 years ago | (#12579716)

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Re:Open (1)

millahtime (710421) | more than 8 years ago | (#12579754)

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Yes. And if you with hold your password, that is like withholding propritary info and not opening it up.

Re:Open (1)

rootofevil (188401) | more than 8 years ago | (#12579842)

your password is already being distrubited

just
cat /dev/random | grep yourpassword
itll show up eventually, after some 31337 h4x0r posts it

Re:Open (1)

Ithika (703697) | more than 8 years ago | (#12579883)

how you gonna know if the 1337 posts show up if you don't do it:

cat /dev/urandom | strings

Re:Open (0)

Anonymous Coward | more than 8 years ago | (#12579914)

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

Would you prefer a proprieraty system so they could sell your info to third parties without you knowing how?:D

Re:Open (2, Funny)

mazarin5 (309432) | more than 8 years ago | (#12579943)

I've forked your password:

*****+

Re:Open (1)

pato101 (851725) | more than 8 years ago | (#12580112)

[...] GPL and anyone is allowed to modify and distribute it for free?

on the other hand they can't make money from it, unless what they sell is support for that password ;-P

Free as in Freedom (4, Funny)

RealProgrammer (723725) | more than 8 years ago | (#12580438)

Does it mean I have release my password per GPL and anyone is allowed to modify and distribute it for free?

That's a common misconception. We have no problem with people making money from your password. It's the attempt by some to restrict freedom and keep your password all to themselves that we are against.

We would support, for instance:

  • sending your password out on a tape and charging $100 for the tape.
  • charging you $100 for your use of the computer resources on which your password is stored
  • charging you $100 for the support of your password
  • charging you $100 for this response

Your password wants to be Free. We urge you to set aside the bondage in which your password is held and join with us for a better community.

[Gnoll mode: OFF]

Wrong category? (2, Insightful)

Anonymous Coward | more than 8 years ago | (#12579719)

Why is this in Hardware? Shouldn't it be... IT?

Re:Wrong category? (1)

whiteranger99x (235024) | more than 8 years ago | (#12580013)

Here [slashdot.org] you go! :P

What? (-1, Redundant)

millahtime (710421) | more than 8 years ago | (#12579728)

Open Source Single-SignOn

This under the hardware category... am I missing something?

Re:What? (0, Offtopic)

Tibor the Hun (143056) | more than 8 years ago | (#12579887)

You're not missing anything.
I believe this phenomenon is called a "mistake".
It happens every now and then when people do things, but end up with results that are unexpected and not satisfactory.

Depending on the level of damage that such a "mistake" causes, people have differing reactions.

Some people react quite analy to even the slightest of such perturbations, perhaps making a note in their daily blog, while others recognize them as being insignificant, and go on happily about their lives.

More information can be found here. [wikipedia.org]

Re:What? (0, Offtopic)

wolfgang_spangler (40539) | more than 8 years ago | (#12579995)

This under the hardware category... am I missing something?

Yes, a life. Hmm, that sounds much harsher than I intended it, but you may be paying a little too much attention to /. if you noticed/care about that.

Re:What? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12580084)

Paying too much attention as in reading the topic and reading the artical :P
Isn't that defined as paying enough attention

Re:What? (0, Offtopic)

maxwell demon (590494) | more than 8 years ago | (#12580212)

Well, if you prefer it, you can also read the IT version [slashdot.org] of the story. Or maybe you prefer Your Rights Online [slashdot.org] ?

Cool (1, Insightful)

Anonymous Coward | more than 8 years ago | (#12579731)

Now if my bank, my broker, and my webmail all did this I would be one happy person. But this sounds like this would do the same thing as stored numbers on the phone did to me I forgot almost everyones number.

What about world domination? (0)

Anonymous Coward | more than 8 years ago | (#12579734)

The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source.

But how are we gonna control the world? Palladium sounds like a better idea...

Certain Information (3, Interesting)

teiresias (101481) | more than 8 years ago | (#12579740)

while it certainly would be nice to login to one spot and be logged into all my favorite websites, as a webmaster I use different information based on what part of my site the person is logging into. Their username/password might be the same for both pages but a cookie might be set on one that isn't on the other and doesn't need to be on the other or could be harmful if done.

Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.

Also the decentralized nature of the servers has me worried/confused. So if I ran one, would I have everyones authentication information?

Re:Certain Information (2, Insightful)

alecks (473298) | more than 8 years ago | (#12579867)

So if I ran one, would I have everyones authentication information?

No. Just a token. SHeesh.. i didn't even RTFA

Re:Certain Information (3, Informative)

Doctor Crumb (737936) | more than 8 years ago | (#12579875)

You are confusing Authentication with Authorisation. Authentication is proving that You Are Who You Say You Are, i.e. the purpose of systems like OpenID. Your cookies/etc would be involved with Authorisation instead, deciding what that person is allowed to do on your site.

Of course, if a central signon system doesn't work for you, then don't use it.

Re:Certain Information (0)

Anonymous Coward | more than 8 years ago | (#12579876)

Haven't read TFA, but I would hope you could query a service with the token to obtain some user information similar to LDAP.

Re:Certain Information (5, Insightful)

sydney094 (153190) | more than 8 years ago | (#12579945)

The decentralized nature of this is the problem. It is impossible to securely authenticate a person using an untrusted server.

If you ran one, you'd have only your authentication information stored on your server. Then, to authenticate to a remote server, you'd point that server to your server. The remote server would ask your server who you are, and then authenticate you (log you in). The biggest thing is that the remote server has to trust that what your server tells it is correct.

This may have a place in the blog world, where you're mainly looking for an easy way to keep your user profile the same across many blogs, but certainly not anywhere where you'd have sensitive data.

Another point, this is supposed to be authentication and not authorization. But actually, this isn't really authentication either... The difference between the two is really the question the server is asking. In authentication, the question is "are you who you say you are?". In authorization the question is "do I have the rights to perform a task?". With OpenID, the question is "who are you?". There is no verification to see if you are who you say you are (from the remote server's perspective, since there is no trust between servers), so you aren't actually authenticated.

It would be up to your server to determine what rights an open-id authenticated user would have.

Re:Certain Information (2, Insightful)

Elwood P Dowd (16933) | more than 8 years ago | (#12580489)

That doesn't make any sense at all. The point of OpenID is that you can say "I'm Brad Fitz from Livejournal" and it would check with Livejournal. Isn't that exactly authentication?

Sure, you could lie about being Brad Fitz by saying "I'm Brad Fitz from Deadjournal" but then... those are two separate identities.

Re:Certain Information (5, Insightful)

Nytewynd (829901) | more than 8 years ago | (#12579955)

You could still use cookies based on the sign on. Instead of getting the sign-on data from the user typing it, you would be getting it from the token and perhaps looking it up on the backend. It makes it easier for the user, and is about the same amount of programming for you. You can still set and delete cookies accordingly.

Decentralized servers are no less secure than if you had a database table of your user authentication information for your application. With SSO, you actually don't need to know the password since it has already been handled. All you need back is the user ID and that they have been authenticated. If you choose to set one of these servers up, it isn't like people are going to start using your server to store their Online Banking information. They will be using your server only to access sites that you run.

On the flip side, if you choose to latch onto someone else's server for authentication, all you will be doing is specifying that you allow anyone authenticated by that server to access your site. You wouldn't even have as much knowledge of those users as you would if you ran your own security.

For the most part SSO is only really usefull within a small environment. Very rarely do I see a need to allow people to access more than one application with the same sign on. Something like passport is nice for the general user, but why would I want the overhead of something like that for my own applications? I'd rather have more control over things. That sort of makes this new product interesting to me, but on the other hand, most of my applications have distinct user sets anyway.

From the authors of LiveJournal? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#12579742)

So you log on with pix of your boobies?

hardware? (1)

EvilStein (414640) | more than 8 years ago | (#12579748)

yeah, Zonk, this really belongs in the "hardware" category. heh.

The demo didn't seem to work for me, but others are already playing with it. Kind of cool, really.

What would be *really* cool is if news websites would let us use something like this instead of having to create usernames & passwords for every news site we want to read (or w/o having to leech a login from bugmenot)

Re:hardware? (0)

Anonymous Coward | more than 8 years ago | (#12580311)

ff extension from http://www.bugmenot.com/ [bugmenot.com] and you spare yourself from this kind of stuff

luuletaja

No thanks (3, Interesting)

Quasar1999 (520073) | more than 8 years ago | (#12579763)

I'll authenticate with each and every site I visit...

Take MS Passport for example. I log on to MSN webmessenger. I chat with some friends, then I close it down. 3 hours later I decide to log on to MSDN to grab a file, I need to log in with a different account since my messenger account doesn't have the access... fine... I do that... then a few hours later when I go to webmessenger again, I'm auto-logged on with my MSDN credentials.

The only option I have is to force all passport sites to stop caching my username/password and make me type it in everytime, thus defeating the purpose entirely.

This sort of password system is open to all sorts of problems, and not just of spoofing, or somehow being hacked and having people impersonate you... I'm more worried about logging on to some place with the wrong credentials...

Re:No thanks (1)

peragrin (659227) | more than 8 years ago | (#12579870)

Wait are you for or againist Single Sign on?

I'll authenticate with each and every site I visit...

and

I'm more worried about logging on to some place with the wrong credentials...

Are contradictory statements. You can't have both be true.

Single Sign On is nice because authentication is easier. I didn't like passport cause I don't trust MSFT, or any single vendor. Open ID once it has stablized and been tested is a better way in theory.

So who do you trust a dozen or two different companies with various policies, or a single system gone over by experts, and attackers that is designed to provide a single point of failure?

Which one is most likely tocause problems?

Re:No thanks (1)

Tenebrious1 (530949) | more than 8 years ago | (#12580127)

No, the problem is that many of us have, and want, separate accounts; the parent mentions MSN and MSDN, maybe the first is personal account and the second from work, and he doesn't want to mix the two. The problem is the cookies; when you hit the Passport sites it just recognizes the last used cookie, so you have to clear that user and log in as another.

Single Sign On sounds really cool, and maybe for the majority of people it's a Good Thing (TM). But for some of us, we have multiple accounts that we like to keep separate, maybe we have different accounts for various businesses we run, or just like to keep our work and personal accounts separate, SSO doesn't work and is unnecessary. So we can be *for* SSO in general, but that doesn't mean we want to use it.

Re:No thanks (1)

emc (19333) | more than 8 years ago | (#12580217)

The core issue here is that the current paradigm directly ties accounts, identities, and privileges.

What we need is a system that every person has one identity, with multiple persona. Each persona would have privileges and accounts tied with it. Your identity should be available only to those to which you trust it, and persona as well.

Re:No thanks (0)

Anonymous Coward | more than 8 years ago | (#12580187)

You must have misunderstood something. Go back and read the post again.

The guy is saying that he prefers to manually authenticate with different credentials each time he connects to some service. And he wants to do this because he doesn't want some "intelligent" software logging him in automatically using the *wrong* identity.

He even gave an example: When he is chatting with his friends, he logs in using a personal identity, which is *not* his MSDN (work-related) identity. But after he logs into MSDN, it insists on logging him into the chat program under his MSDN (work-related) identity, rather than his personal (non-work-related) identity.

This is a nuisance, and a serious drawback to these one-login ideas.

Lame (1, Interesting)

pHatidic (163975) | more than 8 years ago | (#12579783)

How is this ID? It doesn't identify the person, nor does it even make the claim that it is a unique person. It is just the next in a line of doomed to failure solutions for the lack of Identity on the Internet. Repeat after me:

Pay me 25 dollars (iname) to get a name is not the same as identity

Register with your 'name' and 'email' (typekey) is not the same as identity

Single sign-on (passport, openID)is not the same as identity

Re:Lame (1)

caluml (551744) | more than 8 years ago | (#12580155)

From what you are saying, it sounds like you think that only a SHA hash of some biometric information that doesn't change could be the way to identify someone.

Re:Lame (1)

pHatidic (163975) | more than 8 years ago | (#12580632)

Yes indeed, you caught me. Of course I am a little biased because my startup revolves around this.

Re:Lame (2, Interesting)

iabervon (1971) | more than 8 years ago | (#12580191)

There is no feasible way of identifying a unique person presently. Fortunately, few entities care (one is the IRS, which wants to prevent individuals from splitting their income and lowering their tax brackets; another is law enforcement, which doesn't want people to be able to start over with a new identity).

For most things, the only thing that matters is that the site can determine that some entity that claims to have been there before is back. Identity
is about telling that things are the same, not about telling that things are different.

will this work? (2, Insightful)

millahtime (710421) | more than 8 years ago | (#12579788)

so, if it's open it's good but if it's M$ it's evil with regards to single sign-on? Aren't there a lot of other considerations with regard to security and single sign-on. Such as one login gets you into banck accounts, and pretty much everything else.

If you really want this use something liek keychain (on a mac) but in general one password to control them all isn't such a good idea.

Re:will this work? (2, Informative)

Doctor Crumb (737936) | more than 8 years ago | (#12579923)

If you had RTFA, you would know that this is not a
Single Signon. It is a Set Of Single Signons. You can have as many identities as you want. The difference is that without something like this, you are forced to have one identity per site, or one Passport ID. With an openID implementation, you can have any number of accounts as fit your needs. One potentially useful scheme is to have one signon for blogs and news sites, and then individual identities for each bank/etc.

yes but (2, Interesting)

zxnos (813588) | more than 8 years ago | (#12579798)

if anyone can set up a server authenticate does that mean they can access my information? or track my movements? i am thinking of abuses.

Re:yes but (1)

millahtime (710421) | more than 8 years ago | (#12579816)

or track my movements

they could track your movements and sell that info to marketing compaies in the same way that credit card compaines do that.

Suddenly.... (0)

Anonymous Coward | more than 8 years ago | (#12579801)

Suddenly single-signon, long viewed by the open source community as evil because of numerous reasons, becomes the darling of the open source world.

Here's a clue. Novell has already mastered single-signon and federated identity management. They've had it for a few years now.

Re:Suddenly.... (2, Interesting)

Fox_1 (128616) | more than 8 years ago | (#12579951)

I worked as an outside vendor with an internal part of novell (few 100people maybe) that built a beautiful SSO system - linux based and accessed novell software components better then the novell software. The solution was supposed to be for ASP's (application service providers - something from the bubble days) and allow them to link products from multiple vendors together so not only could it manage websites, but other network applications (even if they are hosted on someone else's network the other side of the continent like my companies). It wasn't an open product, and the day before we were to go live (even had a contract that would have made it profitable from day 1) Novell Laid Off 10,000 people across the company to save money (the bubble was just starting to burst). Among that 10K were my poor SSO friends, and of course 6 months of work on my part was wasted too.

Re:Suddenly.... (0)

Anonymous Coward | more than 8 years ago | (#12580228)

ASP's (application service providers - something from the bubble days)

What ARE you talking about? I work for an ASP, and I sure don't feel like I live in a bubble, you insensitive clod!

Seriously though, our profits have steadily grown since the dot.com era - that in itself says a lot. Furthermore, it's the ease of use that ASPs provide that makes them helpful, since an authenticated user can access the application from any web browser.

Hmmm.... (1)

absolutemeg (883355) | more than 8 years ago | (#12579834)

It just seems smarter not to put all my eggs in one basket, as it were, and not have everything I do tied to one username and password. I think a variety of logins makes my information more secure, and makes me more apt to remember to sign out of things, and not leave myself vulnerable to having my IDs compromised. But I'm not a true techie, so maybe there's some amazing aspect of this I'm missing out on.

But, for the record, I hate Passport with a passion, and I also hate having to sign in to comment on blogs or journals.

Re:Hmmm.... (0)

Anonymous Coward | more than 8 years ago | (#12579902)

It doesn't make sense, catch my info once and access all of my credit card accounts, bank accounts and pRon? I dont think so.

I hate boards with rules. http://www.therandirhodesshow.com/randirhodes/mess ageboards/index.php?act=boardrules [therandirhodesshow.com] what happened to free speech Randy?

Re:Hmmm.... (1)

jim_v2000 (818799) | more than 8 years ago | (#12580064)

I think a variety of logins makes my information more secure

I'm just pondering, but I think that you would also have to consider that for a person to use your password, they would have to know the sites that you have logins for, and also they would have to know that you use the same password for everything. I suppose that's not too far out that they would suspect you use the same password, but it would be more difficult to figure out the websites you visit/have logins for.

Re:Hmmm.... (1)

absolutemeg (883355) | more than 8 years ago | (#12580163)

Most people who lack any grasp of web security or technical knowledge tend to use the same logins for everything, which I suppose is what would make this a popular thing. But I like to mix it up, for sure. And I don't think it would be all that hard for someone to trace what sites I was on through a few quick searches...someone with some know-how. If I was a person interesting enough to do that with:).

If you only did have one login, though -- as this program would ideally suggest you do -- they'd only need to figure out one password to have access to everything, right? Which makes it, I suppose, no different from people who use the same login for everything.

But I like not being one of those people:).

Re:Hmmm.... (1)

Suppafly (179830) | more than 8 years ago | (#12580129)

so maybe there's some amazing aspect of this I'm missing out on

There is. Comparing OpenID to Passport is comparing apples and oranges, they work differently and have different purposes.

Good Luck With That! (1)

Spencerian (465343) | more than 8 years ago | (#12579861)

In the business world, directory services are dominantly Microsoft's Active Directory, which is essentially a variant of LDAP, which is common in other operating systems. If this thing can't link up or mate to existing directory services, they're screwed. Very, very few companies will want to have to redo their entire directory service just for the fun of it. AD uses Kerberos to handle things, so it's not like there's not a possibility of linking Linux or other boxes to an AD tree in some capacity--if an AD plug in or process is available.

Not to mention that MS makes it worthwhile to move by allowing SSO functionality not only with their products but through support of third parties. This thing is bush-league in terms of what it can really do for folks now. Not that I wish them ill, but the winds of change are tornadic when you deal with the MS juggernaut. Metaphorically, you can't just offer a better butter like these guys, but you have to offer a better bread, how to bake it, steps on making your own butter, and new flavors. You have to offer a complete solution as well as a complete, hassle-free, and justiable means to move to your product. I know it's Open Source, but simply being "free" isn't enough incentive.

Hell, even Apple offers support for Active Directory in their OS.

Re:Good Luck With That! (1)

awb131 (159522) | more than 8 years ago | (#12579936)

There is, in fact, such a way to hook up linux boxen to an active directory server. Samba's pam_auth_winbind is working like a charm on my Fedora FC3 box; it maps DOMAIN\user to the unix user "domain_user", auto-creates your home directory, you can use your AD login to check mail, etc.

Fortunately for those AD users... (0)

Anonymous Coward | more than 8 years ago | (#12579996)

Novell has provided a superior solution. Novell's directory is not only superior to Active Directory in almost every way, it also has the ability to provide universal single signon. It does this via federated identity management and has been available for several years and have proven to be more reliable and secure than any Passport solution.

Also, for those that already suffer under Active Directory and do not wish to rip and replace their directory infrastructure, Novell provides the tools to let eDirectory manage Active Directory and synchronize directory changes between the two.

Similar to what you stated, but better, Novell's eDirectory allows for easy integration of all systems including Linux, Mac OS all, Solaris, Windows, AIX and more. eDirectory is fully accessible via standards based LDAP and does not suffer from proprietary Kerberos extensions that impede cross platform integration.

Yes, we authenticate our Apache servers against AD (1)

wsanders (114993) | more than 8 years ago | (#12580245)

Inexplicably, AD seems to interoperate with other Kerberoses. In my current contract a Generic Huge Financial Services Company we authenticate our Apache servers (internal, htaccess-type auth) running on Linux against AD. No reason why we could not add our Solaris and Linux login authentication to that.

I do not administer the AD boxes, those guys are on a different continent, so I don't know what kind of kludges those guys had to go through to get this to work. But in view of the recent Scott McNealy - Steve Ballmer kiss-fest over Solaris-Microsoft interoperability, yes it isn't much of a stretch anymore.

This is On Topic because I agree with the original poster - any SSO has got to work with AD to be successful.

Re:Yes, we authenticate our Apache servers against (1)

Colin Smith (2679) | more than 8 years ago | (#12580565)

It's fairly easy for Unix boxes to authenticate against AD. The reverse is not true for Windows machines.

"any SSO has got to work with AD to be successful"

Not true. The Internet and Intranet are entirely different environments. One is controlled and usually managed centrally, the other is uncontrolled and managed in a distributed fashion. A solution which is appropriate for one may not be appropriate for the other.

NEEDED (1, Insightful)

Anonymous Coward | more than 8 years ago | (#12579863)

I am not disputing the value of anonymity, but ID services that are open and free are need. Otherwise these services will gravitate towards Yahoo, Google, MSN etc. Make you choice, free or them.

How is it going to stay "single" (1)

m50d (797211) | more than 8 years ago | (#12579909)

when everyone can run a server? I can see this being used for signin across multiple websites run by the same company, but not much else. You certainly won't have a single pervasive ID.

Single signiture sign-on (4, Interesting)

0xABADC0DA (867955) | more than 8 years ago | (#12579934)

What I want is a system where I go to a site requiring a login and it asks my browser to sign some data with my private key. During the account creation I send the server my public key and that's that -- no need for a password and the login could be done automatically using cookies or something. Then there is no need for a single sign-on provider and nobody can globally revoke my account at all sites.

You could still have an 'id provider' that could sign the data on your behalf if you are on a internet cafe for instance, but it would not be required by design. So in 'kiosk mode' the browser could just forward signiture requests to the authority after you logged into it (which could even be your home computer).

This should be pretty easy to do as a firefox plug-in.

Re:Single signiture sign-on (2, Informative)

scaldef (704048) | more than 8 years ago | (#12580461)

The problem with this is that really security conscious sites (like your bank) won't go for it. The reason is precisely the bit you put in italics. Financial institutions want, as much as possible, to authenticate actual people, not computer programs.

Re:Single signiture sign-on (1)

0xABADC0DA (867955) | more than 8 years ago | (#12580490)

I'm not trying to get more karma, but there are other advantages that I thought of:

Firefox could have an 'identity manager' that stores your public/private keys along with the name, address, phone, etc for that key. Then for a "fox-id" enabled site FF can automatically insert that data into the appropriate fields; the user would still have the ability to edit/delete individual data before sending it. So from a user perspective it could be a simple one-click "Use this id" drop down selecting the id to send. Most users would just use one id because they don't care about their info being private, but savy people could still create a different id per site or just different levels.

Companies don't like relying anything external that could go down and impact their business, so they would take to a system where for most users there is no 3rd party -- all interactions would be between their site and the user's browser. Companies also like to have real information, so sites that really care could cross-check your public key against some authority (ie ask VISA if your public key matches your credit card info). Most sites would still allow anonymous access, but ones that cared like online shops could validate your info for cheap and so would reduce fraud -- you could no longer buy just by stealing somebody's credit card number, you would also need their private key and personal info.

Also sites could just include the user's login in the URL as the login, so going to slashdot.org/~0xABADC0DA would automatically log me in but nobody else because only I have my private key.

Of course there are downsides, like companies that buy your public key and info so they can put your name on the page even the first time you visit, but this could be managed by needing to add trusted sites in your browser config (like for cookies). It would also let companies tie together all you purchases even across keys based on matching the names, addresses, etc. But this already happens, so what's the difference?

Re:Single signiture sign-on (1)

Elwood P Dowd (16933) | more than 8 years ago | (#12580590)

You could get some of the benefits of such a system by hosting your own OpenID server.

It sounds like the features of OpenID are bound up in the features of FOAF, so I think the alternative you are describing is more of a tradeoff than a plain improvement.

Maybe OpenID could be designed so that ID providers are not necessary if you handle your own key pair, but it wouldn't be all as simple as you put it.

Re:Single signiture sign-on (2, Insightful)

cr4p (883824) | more than 8 years ago | (#12580596)

What I want is a system where I go to a site requiring a login and it asks my browser to sign some data with my private key. During the account creation I send the server my public key and that's that -- no need for a password and the login could be done automatically using cookies or something. Then there is no need for a single sign-on provider and nobody can globally revoke my account at all sites.
Interesting...That sounds a lot like what client-side SSL certificates can already do in most web browsers that support SSL. I haven't heard of any sites making much use of client-side SSL certificates, though.

Already have single sign-on (0, Flamebait)

Dangero (870946) | more than 8 years ago | (#12579948)

I already have a working single signon. It's called Windows XP login, using IE with autocomplete turned on you never have to enter any passwords online. IE works better than Firefox; as unpopular as that is to say around here. I just can't subscribe to all the Microsoft Bashing.

Re:Already have single sign-on (1)

iGN97 (83927) | more than 8 years ago | (#12580429)

I just can't subscribe to all the Microsoft Bashing.

Maybe if MS Outlook worked better, your subscription mail to the MS bashing list would be delivered successfully.

Liberty Alliance anyone (1)

hal9000(jr) (316943) | more than 8 years ago | (#12579969)

Any reason to think this will be more widely adopted than liberty alliance initiatives?

The reason I ask is that the technology is a walk in the park compared to the much more difficult problem of trusting an external system to authenticate for you.

Re:Liberty Alliance anyone (1)

cpuh0g (839926) | more than 8 years ago | (#12580467)

No. It will almost certainly not be adopted by Liberty alliance. LI already has a ton of standards and protocols (open) that they use, I seriously doubt they would change at this point.

LID (2, Informative)

ibku (735269) | more than 8 years ago | (#12580002)

http://lid.netmesh.org/ [netmesh.org] - I've heard good things about LID, and it supports SSO.

Finally! (1)

El_Servas (672868) | more than 8 years ago | (#12580003)

I hope it work with AdultPass sites too.... it's a nuisance to have to remember all those IDs...

Bad idea (0, Flamebait)

77Punker (673758) | more than 8 years ago | (#12580030)

Throwing one password around to control everything?
That's a fine example of putting all the eggs into one basket.

Count me out.

Re:Bad idea (2, Informative)

Suppafly (179830) | more than 8 years ago | (#12580314)

See what happens when you don't read the article, you end up not understanding what it's about and then you make stupid comments.

Anyone (1)

varmittang (849469) | more than 8 years ago | (#12580036)

Did I read that right, that anyone can run one of these OpenID Servers. So now I can setup a server and have everyone's passwords and usernames filter into it. I'm not to sure about this.

Re:Anyone (1)

Suppafly (179830) | more than 8 years ago | (#12580192)

So now I can setup a server and have everyone's passwords and usernames filter into it.

No, read the article and try to understand it before commenting.

Re:Anyone (1)

varmittang (849469) | more than 8 years ago | (#12580542)

Ok, so when I sign up for a blog I get the chance to post else where with sites that support OpenID. What if I get a free blog, and after some time, they make me pay. How am I suppost to take my OpenID with me?

And what keeps me from making a blog site and using OpenID. When someone posts to my site, what keeps me from getting their password, because OpenID is passing info on the person that wants to post to my site in the background. What prevents this service from becoming the next fishing ground for personal information?

Embrace, Enhance, Proprietarize (is that a word?) (0)

Anonymous Coward | more than 8 years ago | (#12580090)

How many want to bet if this takes off, Microsoft will EEP it (Embrace, Enhance, Proprietarize) and turn it into a closed "standard" and force it onto the Windows addicted populous (which at the moment is a large percentage of desktop users?)

Already forgot about the Liberty Alliance spec? (1)

KrisWithAK (32865) | more than 8 years ago | (#12580101)

This is yet another attempt at a SSO solution. It is not too hard to come up with a rough design for one. The main problem is getting a significant number of sites to use the same one. Otherwise, what is the use? Marketing/advocacy is needed for that.

Although I admit I have not tried it out yet, have people already forgotten about the Liberty Alliance Project [projectliberty.org] ? There already exists an open source implementation, SourceID [sourceid.org] . Why not contribute effort to working with that library? Or if you must have the enjoyment of writing your own implementation, why not at least try to be interoperable with an existing spec?

Wanted: One problem. Already have solution. (1)

pla (258480) | more than 8 years ago | (#12580123)

Passport didn't fail for lack of Microsoft's trying, or even all that much on (lack of) technical merits (it had flaws, no argument there, but for the most part it did work acceptibly well).

It failed because, on the corporate side, no one wanted to hand Microsoft another monopoly, over the "electronic identification" market - Thus, really only Microsoft-run sites and a handful of "partners" accepted it. On the personal side, those who actually care about such issues abhorred the idea of having a single, non-anonymous identity, and those with only little bit of a clue liked it but worried about how microsoft would treat their information (while the masses of lemmings out there use the same password for any website that asks, their ATM pin, and their email, so didn't have a problem keeping track of all those nasty passwords in the first place).

And what do we have with this new system, that will make it any better?

Companies might use it, but they'll each want to run their own server, making it no more useful than just having 200 accounts spread across as many websites, as we have now. Those who really understand all this still won't want to use anything that doesn't guarantee total anonymity, and those with a partial clue will still worry about who can do what with their info. And, of course, the lemmings will just see it as one more request for their ATM pin number, but otherwise won't notice the difference.


We need decent MS office import filters. We need a solution to spam. We need a cure for cancer. We need new games that don't suck. Please, people, if you code in your spare time, STOP WASTING TIME SOLVING NON-PROBLEMS!

Why not just use Shibboleth and Pubcookie? (1, Informative)

Anonymous Coward | more than 8 years ago | (#12580160)

This is a problem that already has a solution in production. Using pubcookie [pubcookie.org] for the single sign on, and Shibboleth [internet2.edu] for the distributed trust relationships.

Public key authentication (1)

irc.goatse.cx troll (593289) | more than 8 years ago | (#12580202)

I didn't RTFA, but ever since Passport came out I wondered why they would want to auth to a remote server when you could just auth to your key, then have your browser act as an agent(or forward to ssh-agent) and let the remote host auth via pubkey, exact way that works securely and easily for ssh.

The way my X11 is setup now all I have to do is startx, enter my password in ssh-askpass, then I can freely ssh to any server I want without entering a password. I can also ssh from there to another server, still passwordless, still based on my original authed key.

Why not just use SAML? (2, Insightful)

ProgressiveCynic (624271) | more than 8 years ago | (#12580209)

This problem is best solved using standards, not by supplying a new software platform. SAML, Shibboleth, and Liberty have all been around quite a while, fill this need quite nicely and a number of different implementations of each protocol exist, including FOSS and commercial options. Features like pseudonyms and selective information sharing are already there. Why do we need another way to do this?

Why Hasn't SAML Been Adopted? (2, Interesting)

Vagary (21383) | more than 8 years ago | (#12580616)

For whatever reason (could someone wager a guess?) SAML has not been widely adopted (and don't try to argue this point). Maybe this will rectify whatever deficiency SAML has? Or maybe the project is just to create a widely-usable SAML authentication authority?

Defeating security... (1)

Darkon06 (714661) | more than 8 years ago | (#12580236)

Doesn't this make it THAT much easier for a break in, or identity-theft? Now if tons of sites and companies support this, hackers only need to break through ONE barrier to steal your identity. In general, anything that makes the user's experience easier, it also makes it less secure. But thats just my .02

One password for each system (1)

xv4n (639231) | more than 8 years ago | (#12580348)

I prefer one password for each system I sign in. That's The Right Thing.

Would you like to have one single key to open any door, lock, car or locker you have?

Single sign-on.... What's that? too lazy to memorize a bunch of passwords?

distributed != decentralized (3, Insightful)

PureFiction (10256) | more than 8 years ago | (#12580371)

Yadis is correctly described as distributed single sign on, not decentralized single sign on. Everyone still has their dedicated central identity server, it's just that requests from other sites can be delegated to your server instead of requiring only one for everybody.

distributed != decentralized!

Single signon vs same password (1)

FooBarWidget (556006) | more than 8 years ago | (#12580417)

Can anyone tell me what the single signon hype is all about? How is single signon any different than using the same password for multiple websites?

Why are they calling this identity? (2, Insightful)

Daedala (819156) | more than 8 years ago | (#12580440)

I like this quite a bit. However, I think it's suffering from the same problem most people have with the term identity on the Internet -- binding.

"Identity," formally, means who you are -- the unique person with your identity. I'm not going to write my real name here, but that's my identity. No one else is me: my identity is bound to me, even if there are people with the same name.

"Identity," colloquially, means "that person I know." You may not know me by my name. You know me by "daedala." That's my handle. I always post here as daedala, so that's my consistent presense on slashdot (and my journal, and my email, and most other places I post...).

It's pretty difficult to establish a unique identity, bound to an individual, on the Internet. People screw this up all the time. It's not nearly as difficult to establish a consistent handle. From my review of this system, what it's doing is the latter.

So really, they should be calling it OpenHandle.

Brad is pissed!! (0)

Anonymous Coward | more than 8 years ago | (#12580455)

Brad at LJ [slashdot.org] LOL

Identity can be decentralized, authenticity can't (2, Insightful)

Omniver (856159) | more than 8 years ago | (#12580493)

Authentication (username - password/tokencode/biometric/whatever) is generally the first step to establish a digital identity. This reqires some trusted source to be able to judge if the credentials are sufficient to establish the identity.

From my quick reading, OpenID doesn't try to do this and leaves this up to the "identity provider" which can be a centralized service or even my own home system. OpenID is more concerned with mapping whatever identity the user chooses to use consistently across the sites they visit.

This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is (like Slashdot), but makes absolutely no sense for any site that actually needs to know something about its users (banking, commercial, etc.) Until such time that there is a commercially trusted source of identity (yah right), sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.

IMO: This is doomed to blogspace and sites where liability is not an issue. If you're serious about SSO, look to SAML.

Multiple networks... (1)

argent (18001) | more than 8 years ago | (#12580585)

This makes sense for sites that care more about consistenty mapping a user to an ID, but don't really care who the user is

Since sites like that have a real problem with identifying people so they can sanction spammers without making it too hard for regular joes to participate, this is a valuable tool. If it can be used more widely that's a bonus... and you have already suggested one way it COULD be used more widely:

sites that perform any type of regulated or high-risk activity will have the responsibility of identifying their own users or federating with other entities that they trust backed with legal/liability agreements.

This is just an answer to EZboard single signon (1)

Animats (122034) | more than 8 years ago | (#12580551)

This is just LiveJournal's answer to EZboard's single signon. You can register for any EZboard blog, and reuse the registration information with other EZboard blogs. It's centralized, but it's a feature that LiveJournal and its affiliates don't have. Google and Yahoo also have common sign-ons across their various services. So the LiveJournal people had to do something to keep up.

It's not helpful for e-commerce, corporate intranets, campus-level signons, online banking, or spam prevention.

kerberos? (1)

FranTaylor (164577) | more than 8 years ago | (#12580560)

How is this different from Kerberos? Why not just use kerberos?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>