Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Case for OpenID

Zonk posted more than 7 years ago | from the halt-and-identify-yourself dept.

Security 229

An anonymous reader writes "VeriSign and NetMesh are making the case for OpenID, the grass-roots, decentralized digital identity system already supported by LiveJournal, Six Apart, Technorati, VeriSign and many startups, reportedly growing 5% every single week. They say OpenID 'is fundamentally different from other identity technologies' because it is a 'fully decentralized system' and has a 'much lighter cost structure' than any alternative, like Microsoft Passport, CardSpace or Liberty Alliance. Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?" From the article: "If tomorrow, for example, you decide you don't like the Diffie-Hellman cryptographic key exchange at the root of OpenID authentication, you can develop your own way of authenticating, and deploy it within the OpenID framework. If you have an idea for a new identity-related service that nobody else ever thought of, you can deploy it into the OpenID framework as soon as your code is ready. This radical decentralization on all levels of the stack, both technically and organizationally, is a very strong catalyst for attracting innovators and their innovations. This makes OpenID a superior choice for identity-related innovation."

cancel ×

229 comments

Sorry! There are no comments related to the filter you selected.

so it will be OpenID to bind them (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17112202)


one password to root them all !

all these integrated ID schemes (MS passport etc) are good in theory but for a vital flaw, the bad guys only need to get your single password and from then on they have access to _all_ your "openID" websites
much better to have multiple passwords however hard it may be to remember them

Re:so it will be OpenID to bind them (1)

Rastignac (1014569) | more than 7 years ago | (#17112216)

So, all of your OpenID are belong to the bad guys. ;)

Re:so it will be OpenID to bind them (3, Funny)

BoberFett (127537) | more than 7 years ago | (#17112554)

Multiple passwords? Are you saying I shouldn't use the same password at my bank that I use on bustybabes.com?

Re:so it will be OpenID to bind them (1)

justinchudgar (922219) | more than 7 years ago | (#17113110)

I didn't know you could encode ILUVTITS in 4 digits... Wow.

Re:so it will be OpenID to bind them (1)

BarkLouder (916884) | more than 7 years ago | (#17113848)

Multiple passwords? Are you saying I shouldn't use the same password at my bank that I use on bustybabes.com?

Not if you bank at bustybabes.com

It increases security (1)

seweso (842331) | more than 7 years ago | (#17112816)

Yes, giving out personal information on every page you want to comment on is much better. Don't use it for important sites. It's that simple.

It would also be nice if wikipedia would activate OpenID.

Re:so it will be OpenID to bind them (4, Informative)

semifamous (231316) | more than 7 years ago | (#17113862)

So then change your password daily.

Or, you know, since it's OpenID and you have complete control over the server, have it set up in such a way that only your IP address can see the password in plain text when you want to log in.

Here's how it works:
You go to a site that uses OpenID. You enter the address of your site to authenticate. You are then redirected to your own website to authenticate (unless you're already logged in.) At this point, the server you set up should ask you if you really want to trust this other site with your identity. You can trust it once and post your new comment, or trust it always if you plan on posting frequently and have that info saved on your server somewhere. Or you can change your mind and not trust it at all.

If you want to implement a password system that nobody can ever figure out, then have it automatically generated and maybe sent to you via email every day in some encrypted format that only you can figure out.

You smell! (1, Funny)

LiquidCoooled (634315) | more than 7 years ago | (#17112210)

The article is right, I don't like the Diffie-Hellman cryptographic key exchange, it smells.
I propose the slashdot implimentation of the cryptographic key exchange involve should double rot-13.

Re:You smell! (1, Funny)

spellraiser (764337) | more than 7 years ago | (#17112238)

Are you crazy?

Double rot-13 is vulnerable to a man-in-the-middle attack. Triple rot-13 is the way to go.

Re:You smell! (1)

Grey Ninja (739021) | more than 7 years ago | (#17112260)

Maybe I'm just exhausted from writing code all night, but I am currently sitting here a giggling wreck after reading your post. The idea of double Rot-13ing something is just too funny.

Re:You smell! (2, Funny)

eis271828 (842849) | more than 7 years ago | (#17112306)

I'm sorry, I couldn't read your post. Would you mind decrypting it? This truly is a remarkable method.

Re:You smell! (1)

91degrees (207121) | more than 7 years ago | (#17112524)

It's a fairly weak cypher. You can do it with pen and paper given a little patience. Replace a, with a, b with b and so on... (Wrapping around at z, of course). Then it all becomes clear

Re:You smell! (2, Funny)

jZnat (793348) | more than 7 years ago | (#17113850)

As with all things, this can be solved with a small Perl script:

perl -pe 'y/[A-Za-z]/[A-Za-z]/'

Re:You smell! (1)

denominateur (194939) | more than 7 years ago | (#17112576)

What if your alphabet has more than 26 characters? hah!

Re:You smell! (1)

Neil Hodges (960909) | more than 7 years ago | (#17112932)

Then just do a rot-(charcount()/2).

No way! (4, Insightful)

Anonymous Coward | more than 7 years ago | (#17112228)

Time to remove username and password from your site and add OpenID libraries instead, so visitors can authenticate with their blog URL?

Urgh, no way! I do not want all my identities to be tied together through one system. My actions on one site should in no way, shape or form be able to be tied in with what I do on other sites. Compartmentalizing my online life is the best remaining way to remain a modicum of privacy and stave off easy identity theft.

Any website switching to openID exclusively will lose my business. (Of course, if they offer it in addition to a standalone u/p, I'm fine with that, although I do fear that once it gets enough momentum, the standalone u/p will disappear after all.) :/

Re:No way! (OK, Setup several IDs) (4, Informative)

G4from128k (686170) | more than 7 years ago | (#17112322)

Any website switching to openID exclusively will lose my business

There's no need to abandon a place just because they use openID. Why not setup multiple IDs with different user names, passwords, and email addresses? (I assume that's possible under OpenID?).

I agree that a single collection of IDs (all-eggs-one-basket) represents a dangerous single point of failure. But just because someone implements a new potentially better basket doesn't mean you have to put all your eggs in that basket or avoid using sites that use that type of basket.

Re:No way! (OK, Setup several IDs) (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17112530)

If I have to setup several ID's, then why use OpenID in the first place?

This will never fly.

Re:No way! (OK, Setup several IDs) (1)

letxa2000 (215841) | more than 7 years ago | (#17113236)

Actually, it probably will. Most people don't care enough about security. If you don't care about security, these central password systems are great ideas.

Re:No way! (OK, Setup several IDs) (0)

Anonymous Coward | more than 7 years ago | (#17112540)

Why not setup multiple IDs with different user names, passwords, and email addresses?
They'd still have - on one server - my (changing, but unique enough) ip-address and user_agent string to tie these identities together (okay, so having to worry about that might be slightly paranoid, but frankly, I'm not willing to bet that that paranoia won't be justified at any point during my life). And the alternative, to have different openIDs from different openID providers with different usernames and passwords for different sites is, ehm, shall we say slightly worse than the current situation?

Re:No way! (4, Interesting)

mmurphy000 (556983) | more than 7 years ago | (#17112382)

There's been discussion of OpenID providers offering aliases, so you could have a number of distinct "IDs" you mix-and-match with, but they're all validated by an OpenID provider. I don't think the spec says one way or another regarding this; it would be a feature of whichever OpenID provider you used for your identity.

Re:No way! (0)

Anonymous Coward | more than 7 years ago | (#17112436)

There's been discussion of OpenID providers offering aliases
It'd still be a single OpenID provider. I'm perfectly happy with each site having their own little incompatible registration system, and them not only not knowing that the me on one site is the me on another site, but also not knowing which me-s there are altogether, and on which specific sites those me-s are being used.

Re:No way! (4, Interesting)

Blakey Rat (99501) | more than 7 years ago | (#17112404)

Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about. If I have to register to post a comment on some blog, I don't really care if someone steals that registration or password because I'm not likely to ever visit that blog again. If I could use a single ID to avoid registering at different sites 4 days a week, I'm all for it.

The second point is that nobody's holding a gun to your head and forcing you to use it. If you don't like it, just create a new password for each site anyway. It doesn't prevent that.

(Sidenote: Stop requiring registration for moronic things! I don't want to give you any personal information to post in a damned blog!)

(Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)

Re:No way! (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17112700)

Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about.

The problem is, it won't be only sites you don't care about using it. And where it'll start of as being offered in addition, once it'll have enough users, it's very conceivable that it'll be the only option. Do you really want your registration for eBay, Amazon, the communist party website, your Christian youth club forum and this bondage fetish site that you frequent to be tied together?

I might be a technology enthusiast, but I'm a lot more enthusiastic about having - and keeping - some privacy. I'm not ashamed of anything I do, but I also know that "live and let live" isn't really human nature. Just because technology makes something possible doesn't mean it's a good idea to actually do it.

Re:No way! (4, Insightful)

Silverstrike (170889) | more than 7 years ago | (#17112892)

That's not the point.

As the GP said, you CAN make multiple identities. For example, make a "blog-posting" account, and use it to Authenticate to all the blogs in which you want to post. Use it to login to other "annoyance" login websites.

Then make a seperate one for your bank, your credit cards, etc.

The beauty of this system is that its a superclass of the current model -- it has all the capabilities of the established model, plus some more functionality.

Actually, no problem! (2, Funny)

Anonymous Coward | more than 7 years ago | (#17113946)

Do you really want your registration for eBay, Amazon, the communist party website, your Christian youth club forum and this bondage fetish site that you frequent to be tied together?

Actually, this is probably not a problem! Presumably, if you're into bondage, you don't mind things being tied together...

Re:No way! (1)

sverrehu (22545) | more than 7 years ago | (#17112830)

(Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)

I'm sure all of them will be extremely enthusiastic about my new uber-cool, super high tech suicide machine.

Re:No way! (2, Funny)

DuckDuckBOOM! (535473) | more than 7 years ago | (#17113628)

I'm sure all of them will be extremely enthusiastic about my new uber-cool, super high tech suicide machine.
As long as it runs on Linux.

Re:No way! (3, Interesting)

Not_Wiggins (686627) | more than 7 years ago | (#17113074)

Well, I'm not you and I'm damned sick of having to keep a long-ass list of usernames and passwords for sites I really don't care much about.

Then try an approach that I've found incredibly useful... use generated site passwords along with address extensions!

First, for passwords, you only need to remember *1* and have the following javascript (which runs client side) from this most excellent site:
GenPass. [zarate.org]

Next, look into using address extensions (ala what are available via postfix) and define unique addresses per each site you visit (most that I visit have adopted the email address as the username).
For those not familiar with address extensions, you get a base user id within your email system that you're allowed to dynamically apply an extension to and it'll still get delivered to your base box. So, if you're "sam@abc.com" with an extension, the address "sam+slashdot@abs.com" will still deliver to your base mailbox.

Then it is trivial to figure out which site leaked your address for spam as well as start blocking a particular address (either by using procmail or a combination of postfix with an SMTP proxy such as smtpprox. [latency.net]

And while we need to tech savvy of the world setting up the mailserver side of things for our less tech-interested friends (I've done this for friends and family and host mail for them), it simplifies by effectively making it easier to manage multiple identities instead of depending on a bastion one.

Re:No way! (1)

Daemonic (575884) | more than 7 years ago | (#17113840)

So, if you're "sam@abc.com" with an extension, the address "sam+slashdot@abs.com" will still deliver to your base mailbox.

Then it is trivial to figure out which site leaked your address for spam

Surely that only holds for as long as it takes address harvesters to figure out the need to delete the portion of the address from the + to just before the @?
It might work for you now, but it's doomed I tell you - doomed.

Re:No way! (1)

James Shend (1035872) | more than 7 years ago | (#17113286)

(Also, why do all these misguided technophobe posts always get modded up first? I thought this was a site for technology enthusiasts.)
Hey I agree! Everybody is perfectly safe on the internet, identity theft only happens to noobs!

Way! (2, Insightful)

PopeRatzo (965947) | more than 7 years ago | (#17113730)

It is possible, you know, for a technology enthusiast to have some understanding of the fact that most people who use the internet are NOT technology "enthusiasts" (your term).

Expecting actual humans to remember a host of usernames and passwords just to be able to participate in online discussions and shop for a book is not acceptable. Why can't techies get it through their heads that user friendliness is an important part of elegant software design? Security people seem to have the hardest time with this concept.

On the flip side, I don't expect my car, my house, my office and my bicycle all to be unlocked with the same key, so the notion that one U/P combo should take care of all internet security needs is silly. But that doesn't mean that I should have to actually type in my key every time I want to use a secure site.

In the middle of the 20th century, there was a revolution in industrial design. People like Raymond Leowy taught the world that manufactured goods can be made much better by putting some thought into the way people use them and look at them. Something similar has to happen to the world of digital tools in a big way. It's not enough to make it look pretty. It has to WORK pretty, too.

Everyone has an experience with software where the design was so good that it was a revelation. Mine was with Logic Audio Platinum, by emagic. I'd been doing digital music for a long time, using Pro Tools, Cubase, etc, mostly on PCs. When I first sat down with LAP on a Mac, I immediately noticed that everything was easier. Less fatigue. Every tool seemed to simply be there when I needed it. If I clicked on something, the thing that happened was what I expected to happen.

If you are a software engineer and you don't think this same concept applies to the area of software security, you aren't doing your job right.

Re:No way! (1)

husey (1000259) | more than 7 years ago | (#17112814)

I do not want all my identities to be tied together through one system.
Exactly: Damn these OpenID people. Keeping track of all my Wikipedia sockpuppets would become a nightmare :(

Re:No way! (1)

BokLM (550487) | more than 7 years ago | (#17113040)

Well, just because you can doesn't mean you have to. You can use one OpenId for all the sites you visit, but you can create one for one web site (there's no limit on the number of OpenIds you can have).

By the way, do you use the same password on all the websites you visit ? If so, if someone can steal you password (the owner of one of thoses websites can, for example), then he can log into all the accounts that you use with the same password. With an OpenID you only have to remember one password, and there's no way that the owner of a website can steal your password. The only person you have to trust for not stealing your password is the owner of the OpenID server (which can be you), not the owners of all the websites you visit.

Re:No way! (1)

Cruise_WD (410599) | more than 7 years ago | (#17113266)

Some info direct from the spec that might alleviate some of the paranoia:


So, to use www.example.com as their Identifier, but have Consumers actually verify http://exampleuser.livejournal.com/ [livejournal.com] with the Identity Provider located at http://www.livejournal.com/openid/server.bml [livejournal.com] , they'd add the following tags to the HEAD section of the HTML document returned when fetching their Identifier URL.

Now, when a Consumer sees that, it'll talk to http://www.livejournal.com/openid/server.bml [livejournal.com] and ask if the End User is exampleuser.livejournal.com, never mentioning www.example.com anywhere on the wire.


It's therefore very easy to have different identifying servers, with different IDs, and they don't have to know about each other. All an OpenID authentication does is confirm you "own" the URL you provide - it can be any URL you own, and it can be any server that knows you own it.

Further:
How the End User authenticates to their Identity Provider is outside of the scope of OpenID Authenticaiton.


Certificates, a finger-print scanner hooked up to a web-accessible machine on your local network, whatever. Doesn't matter. This is a much wider scope, and much more flexible system than a centralised username/password system like passport.

I've always liked the IDEA of OpenID (3, Insightful)

lidocaineus (661282) | more than 7 years ago | (#17112234)

...but there's no real easy server implementation on Linux (or any other OS) that doesn't require you to do a decent amount of interfacing with the libraries. In other words, if you have time, it works great (ie, your employer wants you to work on an OpenID implementation project). If you just want to host some IDs on your personal box, there's no easy drop-in server software, or even reference software; my non-coder friends can't even begin to use it. I mean even Jabber has jabberd that you can build on.

Anyway I'm sure that'll change in the future, but it'd be nice to have now. Or maybe I'm completely blind and there's a reference server implementation hanging around somewhere?

Re:I've always liked the IDEA of OpenID (1)

EnglishTim (9662) | more than 7 years ago | (#17112888)

There is a very simple PHP-based server that I came across a while ago, although it's pretty much a minimal implementation.

Irritatingly, I can't find it now, though...

i never liked the IDEA of OpenID (1)

slashkitty (21637) | more than 7 years ago | (#17113598)

My non coder friends can't even register! You have to alter the HEAD portion of an HTML document that you own to authenticate yourself. People with just a myspace page can't do that!

Re:I've always liked the IDEA of OpenID (1)

micampe (903048) | more than 7 years ago | (#17113968)

PIP [verisignlabs.com] is quite complete.

5% weekly growth (5, Funny)

Mr. Underbridge (666784) | more than 7 years ago | (#17112236)

reportedly growing 5% every single week.

Translation: last week the install base consisted of his algebra class. This week he installed it on his mom's computer. Next week he's going to grandma's house and he'll install it there too.

WOW (2, Funny)

giorgiofr (887762) | more than 7 years ago | (#17112242)

Now if they only leverage their know-how and implement top-of-the-line solutions thanks to their syniergies, they'll be buzzword 1.0 compliant, too! I can't wait!

Can't be too complicated (3, Insightful)

a_nonamiss (743253) | more than 7 years ago | (#17112258)

It's all well and good that I can write my own implementation of Diffie-Hellman key exchange, but if my mother can't go to a site and quickly and easily create a login, it's not going to work. I'm not at all saying it's a bad idea. Technically, it's a wonderful idea, but it has to be made so simple that anyone can access it, otherwise people are going to continue to use stupid services list Microsoft Passport.

Re:Can't be too complicated (1)

mmurphy000 (556983) | more than 7 years ago | (#17112426)

For many people, I suspect they will get an OpenID as a side-effect of joining some specific service of interest. For example, IIRC, LiveJournal IDs can be used as OpenIDs. So, people who joined LiveJournal to blog get, as a benefit, an OpenID they can use elsewhere (e.g., commenting on other blogs). So, in the case of your mother, she might well wind up with an OpenID from an existing service that converts to OpenID as a provider -- for example, it would be fairly easy for Yahoo or Google to offer OpenIDs for their existing account services.

Re:Can't be too complicated (1)

oliverthered (187439) | more than 7 years ago | (#17112756)

who needs Microsoft Passport when there's Card space [netfx3.com] . I wonder if anyone is ever going to implement card space, even microsoft!

Complexity can be hidden, but there are costs. (2, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#17112876)

I think the other respondent hit the nail on the head.

Most people (aka, 'your mom') won't know that they're using an OpenID at all. Instead, they'll probably just think of it as the ID of whatever service provides the OpenID authentication. So LiveJournal or whatever, but potentially in the future a more mainstream provider like Yahoo. I'd expect that sites which used OpenID and catered to a non-technical audience might even disguise the fact that it's OpenID (instead, "Sign in with your LiveJournal ID here!").

To a user, logging in with an OpenID should be just as seamless as logging in using their Microsoft Passport or Yahoo ID, except that it would work at more sites. There's no reason for the backend infrastructure to be exposed to a casual user. One of the criteria for success of any authentication system ought to be transparency and ease of use. If it doesn't offer that, it's a failed system by virtue of irrelevance.

As I was writing, a thought came to mind. These OpenID/cross-site-ID systems seem like they'd be a huge avenue for phishing attacks. How do you prevent someone from setting up a blog, and putting a Login field on it ("Sign in to comment with your LiveJournal/Bloglines/WhateverID!") and just harvest people's L/Ps as they're entered? Maybe I'm missing something about the system but if all the libraries for authentication and communication with the OpenID user's authenticator (whoever is 'vouching' for the OpenID user, e.g. LiveJournal) are done on the server, then the server has to be trusted with the user's OpenID username and password, or at least it would look like that to the user. It seems like there might have to be quite a bit of interface design and user education to keep people from blindly typing a master password into untrusted forms that would result in their whole identity being taken by a spammer.

Re:Complexity can be hidden, but there are costs. (3, Informative)

semifamous (231316) | more than 7 years ago | (#17113612)

The username and password is not entered on that site. It's entered on your own personal site.

I've got a Wordpress blog for which I found an OpenID plugin. I can go to Livejournal and give it my blog address. It then sends me to my site which asks me "Do you want to trust this site with your identity?" You can trust it once, trust it always, or not at all.

OT complaint about “ID”. (-1, Offtopic)

Lethyos (408045) | more than 7 years ago | (#17112262)

Why do people insist on abbreviating the word “identification” as “ID”. It is not an acronym but rather a shortened form of the word. Big difference. The proper abbrevation is all lowercase as “id” (or you capitalize only the first letter as necessary, such as if it starts a sentence).

(No need to remind me that we often pronounce it as “eye-dee”. I think that is a side effect of the incorrect form commonly in use.)

Re:OT complaint about “ID”. (1, Funny)

Anonymous Coward | more than 7 years ago | (#17112396)

Same reason people type PIN numbers into ATM machines. We simply don't care.

Those are correct. (0, Offtopic)

Lethyos (408045) | more than 7 years ago | (#17112560)

“PIN” is “personal identification number” and “ATM” is “automatic teller machine”. These are acronyms and correctly capitalized. However, I know that people would certainly find it weird if they saw “avenue” abbreviated as “AVE” or “January” shorted to “JAN”.

Re:Those are correct. (1, Funny)

grahams (5366) | more than 7 years ago | (#17112762)

He said PIN Number (Personal Identification Number Number) and ATM Machine (Automatic Teller Machine Machine).

Not as good as the Windows WDM Driver Model.

Re:Those are correct. (1)

pyite (140350) | more than 7 years ago | (#17113158)

Not as good as the Windows WDM Driver Model.

Everyone should know that WDM stands for Wavelength Division Multiplexing. Anything else is just silly.

Re:OT complaint about “ID”. (1)

eis271828 (842849) | more than 7 years ago | (#17112402)

I think the primary reason we capitalize ID is to distinguish it from the id, ego, and superego. Flashing your id to get through an airport security station will likely land you in jail, or at least result in a sexual harassment allegation. Showing your ID will get you right through. Besides, grammar is evolving.

Re:OT complaint about “ID”. (0)

Anonymous Coward | more than 7 years ago | (#17112474)

Regardless of whether it's an acronym or an abbreviation, it's customary to capitalize all letters if it's a word you say by pronouncing the letters rather than the word. Not capitalizing all letters implies that you simply pronounce it as a word, as in "laser." That's why it's OK to go to a Larp and show your scuba license as a form of ID.

Re:OT complaint about “ID”. (0)

Anonymous Coward | more than 7 years ago | (#17112558)

But what if you live in OK (Oklahoma)?
I guess they still spell it Okay!

Re:OT complaint about “ID”. (0, Offtopic)

Lethyos (408045) | more than 7 years ago | (#17112660)

That's why it's OK to go to a Larp and show your scuba license as a form of ID.

I agree with “OK” since it is an acronym for orl korrect. Otherwise, why is it alright to remove proper case from “Larp” and “scuba” by not write “NASA” as “Nasa”?

i suppose ITS ok to Just ignore proper capitalizatioN in english Today.

Re:OT complaint about “ID”. (1)

DeQuincey (221531) | more than 7 years ago | (#17112906)

Hey, you forgot LASER! *pew* *pew* *pew*

It's not about blatantly ignoring proper capitalization. It's all about usage. For example, scuba and laser have been promoted to word-like status. Many people don't even know that they're actually acronyms. As these acronyms become used more often, they tend to be used like words, hence why many of them lose their proper case. You can probably add fubar to that list.

As someone has already explained, we probably capitalize ID (the abrv.) to distinguish is from the id (ego).

Re:OT complaint about “ID”. (1)

ionFreeman (783795) | more than 7 years ago | (#17113358)

There's some disagreement about the origin of OK. I think Woodrow Wilson used to say 'okeh' was from an Indian word.

Re:OT complaint about “ID”. (0, Offtopic)

Mr2cents (323101) | more than 7 years ago | (#17112518)

Why do people insist on abbreviating the word "identification" as "ID"?
I have no ID...

OT: a real pedant knows it's an acronym (1)

brokeninside (34168) | more than 7 years ago | (#17112640)

First, pretty much every modern dictionary (Merriam-Webster, American Heritage, Random House, etc.) lists the word as ID. I'd check the OED too but my library card is expired and I can't log into the OED online anymore.

Second, an acronym is ``a word formed from the initial letters or groups of letters of words in a set phrase or series of words''. Consider RADAR. RAdio Detecting And Ranging. If ID were a contraction of identifier it would be spelled id' not ID.

Lastly, whether acronyms are all upper case or not is entirely a matter of convention. ID is typically always upper case to avoid confusion with the Freudian term id.

Re:OT complaint about “ID”. (0)

Anonymous Coward | more than 7 years ago | (#17112754)

Why do people insist on abbreviating the word "identification" as "ID". It is not an acronym but rather a shortened form of the word.

Actually, it's both. In the case of OpenID, you are right, it's just a short form of "identification". But in most cases, "ID" is an initialism that stands for "Identification Document" - you know, like passports, drivers licenses, etc.

Re:OT complaint about “ID”. (1)

Lethyos (408045) | more than 7 years ago | (#17113032)

Thank you, that pretty much nails it for me.

Re:OT complaint about “ID”. (1)

hey! (33014) | more than 7 years ago | (#17113324)

You know, up until this point I've always had a moment of doubt when choosing between camel case names for a method like getUserID/getUserId. Your post has tipped the balance in favor of "getUserID".

After all, I wouldn't want anybody to think that "getUserId" returns the part of the user's psyche responsible for ego-gratification behavior.

OpenID is great in theory (3, Interesting)

pHatidic (163975) | more than 7 years ago | (#17112314)

So has anyone else noticed it seems like there is nothing new happening in the Internet in the last couple months? Well actually there is interesting stuff happening, it's just that Reddit and Digg have been taken over by spammers so you'd never know it otherwise. The thing is the more eyeballs a certain website has the more temptation there is to cause mischief, so a website can never go above a certain quality threshold without an identity system to ban trouble makers. Both Reddit and Digg have hit this threshold, so it will be impossible to get better news without a system like this.

The problem though is that OpenID is currently just a framework. There is no way to prevent people from making 100 accounts, which is still the problem. Once we have a way of making sure each person only has one account, even if we don't know who that person is and can't identify them in any way, then and only then will social software be able to break through this quality barrier that it is currently capped it. I wrote about one way of doing this here [alexkrupp.com] , and there are other ways. Hopefully within the next ten years we can have this problem solved, to enable the next generation of web apps that aren't even possible today.

Not the problem OpenID is trying to solve (0)

Anonymous Coward | more than 7 years ago | (#17112442)

But OpenID isn't supposed to be a system that uniquely identifies a person on the internet. It's a system to provide multi-site logins without a large central repository.

It's more useful to allow people to do things like make comments on many blogs (LJ, MySpace, DeadJournal, Blogger, whatever) using one blog account so that all their comments are tied together and to the one site they update. If they want to have multiple accounts they still can, and that's kinda the point. It's the same way I have a /. account (which I'm not bothering to log into right now), a k5 account, an LJ account, two AIM accounts, etc. But with OpenID, I could just pick one and log into everything with it.

Maybe later someone else will solve the problem you're describing. SixApart just wanted to let people comment on LiveJournals without an account on their site. And they found a way. It's pretty smart.

Re:OpenID is great in theory (0)

Anonymous Coward | more than 7 years ago | (#17112460)


In what way would not the 'social software quality' be replicated by mandating every internet user in a country to publicise their name?

The one point that springs to mind falls flat:

1. Someone can keep their identity hidden and write unpopular things and not suffer from it in real life - no they cannot, because a system where the same login is used on hundreds of sites will invariably lead to traceable identities.

2. But can they not simply avoid giving up their identity to any of these sites? No they cannot - anyone who wants to function normally in a western society today has to use the internet for a very large number of tasks and are forced to give their true identity on several of them. 'Breaking the link' between identity and person is therefore impossible.

There are, of course, several arguments for having every internet user's name be public, but so far it hasn't been voted for in many countries.

Re:OpenID is great in theory (3, Insightful)

Elyas (59360) | more than 7 years ago | (#17112478)

Actually, that's really only true if you go about it by trying to "find" the bad users.

If you want, instead, to look for good, legitimate users with regular useage patterns, the only thing you need is the data and a single sign-on distributed across the systems. You make it easy to get a bad reputation, and hard to get a good one, just like real life. Then voting systems can more heavily favour the consistently useful users, etc.

Finding the bad guys is whackamole, and useless :)

Re:OpenID is great in theory (1)

rhythmx (744978) | more than 7 years ago | (#17112662)

The problem though is that OpenID is currently just a framework. There is no way to prevent people from making 100 accounts, which is still the problem. Once we have a way of making sure each person only has one account, even if we don't know who that person is and can't identify them in any way, then and only then will social software be able to break through this quality barrier that it is currently capped it.
Actually, I think the ability to make many disconnected accounts would be a great feature for maintaining the end-user's security. I'm already peeved at about the need for all sorts of my data to be sitting around in hundreds of online applications... The last thing I want to see is some sort of "global foreign key" linking all that data together.

Re:OpenID is great in theory (1)

Jesus_666 (702802) | more than 7 years ago | (#17112984)

I'll be rooting for the people who break it. Among the things I like most about the internet are anonymity and the ability to shut off account from each other, thus I'll keep trying to maintain them, even if these very virtues make the net less professional.

Re:OpenID is great in theory (2, Informative)

IL-CSIXTY4 (801087) | more than 7 years ago | (#17113086)

There is no way to prevent people from making 100 accounts, which is still the problem

Actually, that's something I see as a feature. Some people have facets of their lives that they don't want tied to and searchable by their "pubilc" OpenID. Having multiple OpenIDs allows one to keep their private and work lives separate, for example.

Now, one person having 100 accounts that they use to troll message boards...that's a problem best solved with a reputation system, and OpenID's creators make it clear on their site that this is not a trust or reputation system. It's also not about having a centralized profile (FOAF addresses this). OpenID is just about having a consistent ID between sites.

Flexibility is dangerous with crypto (1)

adonoman (624929) | more than 7 years ago | (#17112344)

And more so with authentication. I don't want someone to be authenticating me using the new-fangled system they wrote during a drunken craze last weekend, when they had some flash of insight that led them to believe that Diffie-Hellman is a load of crock, and is much less secure than their "guess-a-number-between-one-and-ten" system.

Re:Flexibility is dangerous with crypto (1)

semifamous (231316) | more than 7 years ago | (#17113712)

Authentication is handled by the server, not by the site you're posing on.

You type in a website address and you're sent there to authenticate. You don't type a username and password. You type your blog/livejournal/whatever-OpenID-server-you-have URL.

More hyperbolic statistics (2, Insightful)

Toby The Economist (811138) | more than 7 years ago | (#17112374)

> reportedly growing 5% every single week

And WTF does that actually MEAN?

It superifically appears to assert that the number of people using OpenID is growing each week by 5%.

Is this the number of people *actively* using OpenID, or the total number of ALL users ever, e.g. including those by people who've used it once and then walked away?

Is this the totaly number of people across ALL OpenID service providers? this seems unlikely, since someone would have had to have done the work of collating all the stats from all those providers.

If it is then just a sampling of providers, how was the sample chosen? is it representative? or was it opportunistic, e.g. those OpenID service providers who are loudest about OpenID and so could be expected to tend to be those who see the largest growth rate in users?

Also, 5% each week sustained actually means an ever increasing absolute number of users, since it's 5% of an ever larger user base. When your user base is 100 people, 5% is five 5 new people, which isn't hard to sustain on a week in, week out basis. So what is this 5% - which could be completely inaccurate anyway, since we've no idea of the sample it's based - 5% *of*?

Re:More hyperbolic statistics (0)

Anonymous Coward | more than 7 years ago | (#17113650)

"It superifically appears to assert that the number of people using OpenID is growing each week by 5%.

Is this the number of people *actively* using OpenID, or the total number of ALL users ever, e.g. including those by people who've used it once and then walked away?

Is this the totaly number of people across ALL OpenID service providers? this seems unlikely, since someone would have had to have done the work of collating all the stats from all those providers.

If it is then just a sampling of providers, how was the sample chosen? is it representative? or was it opportunistic, e.g. those OpenID service providers who are loudest about OpenID and so could be expected to tend to be those who see the largest growth rate in users?

Also, 5% each week sustained actually means an ever increasing absolute number of users, since it's 5% of an ever larger user base. When your user base is 100 people, 5% is five 5 new people, which isn't hard to sustain on a week in, week out basis. So what is this 5% - which could be completely inaccurate anyway, since we've no idea of the sample it's based - 5% *of*?"

Yes.

idea for a new identity-related service? (1)

aadvancedGIR (959466) | more than 7 years ago | (#17112438)

Can I wrote an app that automatically collect the credit card number of any subscriber of that service that is visiting my site (just to check they are 18, of course)? In other word, can anyone do whatever he want with the data or is there a good protection?

Re:idea for a new identity-related service? (1)

GuyWithLag (621929) | more than 7 years ago | (#17112852)

Nope, you can't. The users need (at least for the first time they visit your site) to type their OpenID address to your site, they will then get redirected to *their* OpenID provider site to verify what data should be made available to your site. Oh, and AFAIK noone uses OpenID for CC info...

A Concern (1)

DaMattster (977781) | more than 7 years ago | (#17112550)

What if there is a rogue OpenID provider? What if someone sets up their own OpenID system to leave fake authenticated comments on a blog? I wonder why the OpenID project has not considered this.

Re:A Concern (1)

IL-CSIXTY4 (801087) | more than 7 years ago | (#17113176)

Rogue OpenID providers are dealt with by configuring your OpenID consumer not to trust that server anymore.

See "what about spam?" on the OpenID project's About OpenID [openid.net] page.

What are real problems in identity? (1)

us7892 (655683) | more than 7 years ago | (#17112608)

From the article:
Entrepreneurs and intrapreneurs, for whom OpenID provides a fertile ground for innovation, such as:

- reputation services, which help both end users and site operators and represent a major business opportunity in itself;
- open social networks that are not confined to a single vendor's site;
- more secure, efficient and accountable messaging systems that one day could replace the protocols that e-mail runs on.

Some have told us they consider the OpenID community to lack a clear process or structure, to not solve the "real" problems in identity (yet?), or to be only applicable for low-end problems. They are probably right; however, we think of it as the early days of Internet-scale innovation in action, where these characteristics are desirable, not detrimental.


What are the "real" problems? I'd like to hear what the author sees as the real problems in identity. I guess, at the end of the day, it would be easier to remember one username and password. I often use the same username and password on multiple sites anyway. But it seems like this leaves me vulnerable to identity theft. Then again, I don't enter my "real identity" information on non-critical sites anyway. So, this is probably about as useful as MS Passport...

Re:What are real problems in identity? (1)

Spookticus (985296) | more than 7 years ago | (#17112764)

well, if you was a jedi you could completly bypass this whole system. When you go to the site and it asks you for your ID, all you have to say is "You dont need to see my identification" and wave your hand in front of your monitor.

Re:What are real problems in identity? (1)

hey! (33014) | more than 7 years ago | (#17113422)


What are the "real" problems?


Easy. All the special cases of "How do I make money with this?" to start with.

No matter how good the system, that's going to be limiting factor in vendor support at the outset.

On the right track - id should be portable. (1)

Rocketship Underpant (804162) | more than 7 years ago | (#17112768)

The president of Sxip made some good points about personal identification and how it should work online, even if Sxip's implementation isn't perfect.

In the real world, we have organizations that create forms of ID, and other organizations that need to identify us. I have a birth certificate, a library card, a passport, and a credit card, for example. These all certify certain personal details about myself, and they don't all cover the same details. What's also important is that they're portable, they're secure to varying degrees (i.e. hard to duplicate or modify), and I control who sees them.

In the real world, I can use these IDs with third parties, removing the necessity for those parties to create their own IDs. A video rental store, needing to confirm my name is what I say it is, can decide it trusts the issuer of my birth certificate (the province of BC) or the issuer of my credit card (Citibank), and will thus accept those cards as proof of my identity in lieu of having to create its own identity system. A liquor store that ids customers won't care what my name is, but they might want to verify my picture and birthdate; there are several identity issuers they'll trust, and I can show cards from any one of them so long as it has the right information. Thanks to portable identity, the liquor store also has no need to maintain its own identity database.

So why can't digital identity work this way? I already have established, verified, trusted identities at several online institutions -- eBay, Amazon, Slashdot, my bank, etc. So when I go to a new website that needs to verify my identity -- an online store, a message board, whatever -- there should be no need to create yet another new identity. I should have some digital way to flash my eBay credentials, or my Amazon credentials, or credentials from any source that website chooses to trust. They should be able to create an account for me and everything, letting me log in with the credentials I already use elsewhere, just like the brick-and-mortar video store that lets me rent videos by showing my driver's license. An ideal digital identity would be portable just like the kind I carry in my wallet, except my control over it would involve password protection instead of physical possession.

There should be no need to create yet another catch-all ID system like OpenID. The dozen or so identities I already have should become portable, so I don't have to keep making more.

Overly complicated (5, Funny)

cortana (588495) | more than 7 years ago | (#17112828)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenID seems rather complex. There are already decentralised systems for authenticating a user's identity. But, if it gains momentum I would be happy to use it. One thing I can't work out is how I can create an identity. I have my own domain name and web site; I don't want to rely on Livejournal or another third party to maintain the notion of my identity.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFdYQlshl/216gEHgRAk00AJwLvCf xLrtlKGDHcrIp7jidODlrTQCgqCPx
czXJO4lwp5Znr+A7sSr rPJA=
=MeMH
-----END PGP SIGNATURE-----

Re:Overly complicated (1)

tom taylor (610506) | more than 7 years ago | (#17113660)

You can set up a page, directory or subdomain of your personal site to forward onto an OpenID server that you've got an account with. If you want to switch server, just change the forwarding details and the sites using your OpenID don't notice a thing.

More info available at: http://www.openidenabled.com/openid/use-your-own-u rl-as-an-openid/ [openidenabled.com]

I've been working with OpenID (0)

Anonymous Coward | more than 7 years ago | (#17112834)

Its a great new system. Just turn around, pull down your pants, bend over, take a picture.

Or just allow your email address to be a username (1)

xxxJonBoyxxx (565205) | more than 7 years ago | (#17112880)

My personal frustration is sites that don't let you use an email address as a username; an email address is pretty easy to remember.

If you're really worried about a low-security "single sign on" solution (which this article seems to suggest), why not just leverage one of the many cookie schemes advertisers use to track you all over the net? (The end result is the same.)

Spam IS a problem for site owners! What to do? (1)

feepcreature (623518) | more than 7 years ago | (#17112944)

Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations?

With their own registration system, site owners can add features that make spammy registrations difficult (I'm getting 10 or so daily spammy registrations). Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. So what are the options for countering spam? Can you add extra checks and validation? User verification? Black/white/grey lists?

I know the OpenID folk say "this is not a trust system" and that is not the problem they are trying to solve. But it needs to be solved for it to be widely useful!

If it isn't solved we have a one-stop-shop for spammer IDs. If we "solve" it badly, it's nearly as bad as running your own registration system (from a site owner's viewpoint) or registering all over again (from a user's perspective).

Re:Spam IS a problem for site owners! What to do? (1)

Prof.Phreak (584152) | more than 7 years ago | (#17113496)

I'd imagine you can ask for some CATCHA along with the URL.

Re:Spam IS a problem for site owners! What to do? (1)

larko (665714) | more than 7 years ago | (#17113676)

There's nothing in the desription that would stop you from using those visual recognition techniques ("what letters do you see in this noisy field?") or any other further authentication. You could require an OpenID AND a local password that would be stored on your server if you wanted (though this extreme example would defeat the point entirely).

Re:Spam IS a problem for site owners! What to do? (1)

Jerf (17166) | more than 7 years ago | (#17113802)

I know the OpenID folk say "this is not a trust system" and that is not the problem they are trying to solve. But it needs to be solved for it to be widely useful!
How do you propose that we solve the trust problem, without an identity solution to hang it off of?

You know, it's acceptable to solve one problem at a time. It's how real engineering is done. Try to solve this entire thorny problem in one fell swoop and you get Microsoft Passport.

Frameworks aren't all they're cracked up to be (1)

Twylite (234238) | more than 7 years ago | (#17113036)

The thing with frameworks ... is that over time implementation costs increase, and interoperability decreases, as you add more concrete stuff within the framework. They give the illusion of value.

How to kill an article (1)

Anonumous Coward (126753) | more than 7 years ago | (#17113102)

If you're writing an article dealing with issues of trust, especially if you're about to solicit the reader's trust in the subject of your article, make sure to start the article with the word "Verisign". You need write no more...

I love Anonymity (1)

Sub Zero 992 (947972) | more than 7 years ago | (#17113136)

I love anonymity. I hate "identity management" which leaves the user with a single "approved and authenticated" online identity.

You don't know my flickr username. You don't know my Ebay username. You don't know my Friends Reunited username.

You don't know what I bought my family for christmas, what they look like, where I went to school, where I work know, where I live or what (or if) kind of car I drive. What you know about me is what I have chosen to let you know.

I like it that way.

No USER DATA ENCRYPTION (1)

alaricd (916139) | more than 7 years ago | (#17113278)

When data is transferred over the OpenID network AS IT STANDS AT THIS MOMENT no encryption is required, thus all your userdata could be transmitted in clear text. This is a clear reason to steer clear of OpenID or at least put pressure on them to fix this.

browser plugin for personality managemant please (1)

tolonuga (10369) | more than 7 years ago | (#17113320)

well, can this help me to create a number of fake users (e.g. for all those stupid "please register" web sites), and help me to manage
who site gets which personality. I would really prefer if I could thus decrease the number of sites that know me, and instead use throw
away identities for "free downloads" and stuff like that.

Fundamental issues in identity. (2, Interesting)

Hurderos (859412) | more than 7 years ago | (#17113648)

A number of other posts have alluded to 'whats the problem with identity'. In the FWIW department a summary of the important issues from someone who has spent a long time working in the field:

1.) There is no standardized method for defining identity.

2.) Services of value impose the Reciprocal Identity Management (RIM) problem.

With respect to point 1, is your identity?

mdoe

112233

Mary Doe

mdoe@SOMETHING.ORG

http://www.something.org/mary_doe

All of the above 'representational identities' are very useful in different contexts. None of them are your identity. For better or worse your identity is ultimately a token, lets call it an 'intrinsic identity', which has a fiduciary or contractual value associated with it by a third party.

Examples of intrinsic identities are things like social security numbers, credit card numbers, employee identification numbers, visa numbers etc. Such tokens are extremely useful in information technology since they serve as unique and definable 'keys' for who someone is. They are also extremely dangerous since possession of these tokens allow the implementation of an identity.

Systems such as OpenID, Shibboleth, Liberty Alliance and a bunch of OASIS standards seek to solve the problem of 'identity assertion'. While useful in and of themselves they don't provide a fundamental definition for identity.

Federated identity systems solve a very useful and important problem but impose problem number 2 which is the RIM problem. If the service being vended has any value a system for authorizing access to it must be in place. If the identity assertion comes from an external site the accepting site needs to instantiate or manage the identity in order to regulate the use of the service by the requesting identity. One class of problem is addressed but a second and equally important problem still exists.

In the case of the 'real world' - blog and social networking sites notwithstanding, where one organization is asserting identity for the actions of one of its employees there is a need for the identity asserting site to regulate the actions of the identity on the remote site as well. The management problem becomes quickly apparent if there are hundreds of partners in a federated identity environment.

Getting the right answer to the identity definition question is actually very useful. A number of very important issues in information delivery tend to 'fall out' when the question gets answered properly. Unfortunately the field of identity theory is abstract, poorly defined, difficult to understand and laden with socio-political and privacy issues.

As is typical with most problems the low hanging fruit gets picked first. Various schemes such as OpenID for attacking the identity assertion problem are emblematic of those types of effort.

blog url? (0)

Anonymous Coward | more than 7 years ago | (#17113768)

Well, I had to login with user name and password to my blog url. :)

It only authenticates... once? (1)

larko (665714) | more than 7 years ago | (#17113804)

I am getting all of my data about this system from http://openid.net/about.bml [openid.net] . There it says that the foreign server B asks my local server A if server B is designated as "allowed." If A says that B is allowed, B believes that I'm me and lets me continue. Otherwise B says, "Uhm, A doesn't know wtf you're talking about. You'd better go register me on A."

So I go register B on A, right? And now all I have to do to login is type larko.A.com into the little login box on B?

Why can't SpammerX type in larko.A.com now?


Maybe there's more information about this deeper in the site that I didn't see, or maybe I'm an idiot. Anyone know?

General Reply (3, Informative)

Jerf (17166) | more than 7 years ago | (#17114038)

This is a generalized reply to a number of comments that are either reflexively nay-saying the entire idea or are not understanding what this really means.

The intent of OpenID (as I read it) is simply to provide an identity. An identity is just a name that at least one person has permission to use, and no more. Multiple people may be able to use the identity. Perhaps some aren't "authorized" (a vague, undefined term in this case), and obtained the credentials by hacking. Maybe one person has a thousand OpenIDs. It really doesn't nail you down, break your anonymity any more than posting with a Slashdot account that has no URL, email, or distinguishing username characteristic, or give the One World Government an ID to tattoo into your arm.

The reason this is useful is that it gives further layering something to talk about. I can't tell my blog system "John Milquetoast Xavier is allowed to post on the front page", because the blog system can't understand "people". It needs "identities". But I can say "this OpenID is allowed to post".

And all the OpenID system will tell me is that some person has authenticated with that ID. I can further restrict their activities; I can still require a CAPTCHA, I can require a paid account, I can do all kinds of things. There's no law that says I have to let everyone with an OpenID have full permissions on my site. (When I say that, it's obvious, but based on the comments clearly some people have this idea in the back of their head.)

I can also go the other way; if your OpenID is from a site that I trust to verify you are a real human for some reason, I might allow OpenIDs from that site more permissions than one from the random internet. If my company sets up an OpenID server that we control and allow only our employees on, I might be able to trust OpenIDs from that server more than random strangers. (Assuming good security for the sake of argument.)

You could set up your own OpenID server to do whatever. I'm sure that if this takes off, there will be OpenID servers that people choose to leave wide open to allow anonymous OpenIDs to be created by anybody. Maybe it'll simply say "Yes, that person exists" to any query with any password, if the API allows it. Using one of those won't tie you to anything.

What you are worried about shouldn't be "identities", you are worried about "identities that can be tied to you". The generic OpenID specification can not provide that, since in the general case the OpenID server could be anything, including a compromised box, and you therefore can not trust it a priori. All it can do is provide a label. Excessive trust in an identity system is the real problem, not an identity system.

I've been creating a weblog for myself lately that includes comment posting, and while I don't think I'm quite ready to jump to OpenID, it's actually exactly what I'm looking for. My spam-control solution will be to moderate every comment posted, but once an identity proves its bona fides, I'll whitelist it. All I want is an identity. I don't really care if I can map it back to a person, I don't care if 10 people are using it, I just want an entity that I can deal with in my database and grant it permissions to above and beyond what an anonymous user gets. OpenID would solve that problem nicely, because I have no intention of farming out to OpenID the question of how much I trust the identity, merely the existence of an identity.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>