OpenID - Open Source Single-SignOn 209
Nurgled writes "Danga Interactive, who created LiveJournal and memcached, is working on a new decentralized single-signon system called OpenID. Similar in principle to Six Apart's TypeKey or MSN Passport, OpenID will allow you to assert a single identity to any OpenID-supporting site. The difference here is that there is no central authenticating server: anyone can run one, and Danga's reference implementations will be open-source. The site you are authenticating with never sees your username or password, just a one-time token. You can read the initial announcement on LiveJournal, though some details have changed since that post, so be sure to read the information on the official site."
Hosting Servers (Score:3, Interesting)
Re:Hosting Servers (Score:4, Insightful)
Slashdot maybe large but live journal's user base (myself included) is also very large. Most of them are idiots (AKA teen girls) so they would instantly start using it and think it was a great idea to only need to sign onto one site ever.
If "average whiney girl mark 3" thinks it's a good idea she will tell her friends and it'll spread like wild fire through the mass market. The geeks can't control this only choose if we listen to the cries or get snowed under with them if this happens.
Re:Hosting Servers (Score:2)
Yeah, Slashdot might help raise awareness in the geek community, but as far as general "critical mass" goes, LJ has zillions [livejournal.com] more active logged-in users than we do :)
Re:Hosting Servers (Score:5, Insightful)
Re:Hosting Servers (Score:3, Insightful)
And this is the important point. For some reason, users of web services don't typically demand features like consumers do in other markets, at least not to the same degree. New features usually are first designed by site/owners/programmers/designers/masters/etc and then copied by countless other sites.
So, having a large population of readers that also maintain or run sites see and believe in an open system like this is probably more important than the user base knowing about it. Lets face it, if everyon
Re:Hosting Servers (Score:2)
And you say that because putting Microsoft technologies out of business has already proven to be so simple?
No, I'm afraid the only way to make Pi$$port go away is to keep it out of sight. It pops up right away after any user logs in initially (in XP). That's why people sign up for that service. They see it pop up, so they immediately fill out the form, like good little form-filler-outers. And web sites see their subscription numbers, and then adopt Pi$$port. Can you say "Court injunction"?
Single Sign-on like Passport is a lame idea. (Score:3, Interesting)
There is a better system... (Score:2, Interesting)
I RTFA'd and OpenID relies on a single host as an authenticator, just like Passport. Sure, you can have many single host authenticators with OpenID (whereas there can only be one with Passport), but at the end of the day, your credentials are only as strong as the security of that one box. Remember all the problems that Microsoft had with authenticating and authorizing Hotmail users? Single hosts make inadequate authenticators. The CorSSO folks
Re:Thinking. (Score:3, Interesting)
Why DSA? (Score:5, Interesting)
I coincidently not long ago wrote a paper [72.14.207.104] (ggogle cache) on how to implement RSA-based signle sign-on (using Python/mod_python). Using public key signatures seems like the most obvious way of implementing SSO. I'm surprised OpenID is using DSA though - AFAIK RSA (now that it's patent free) is a superior, more trusted and flexible algorithm.
I'm not a cryptographer by any means, but IIRC DSA was put together by NSA as an algorithm that was "crippled" to only do signatures, but not encryption, and there was some controversy because at first NSA wouldn't admit to being the designer, instead NIST was pretending to be one, and then later someone discovered a way to somehow leak bits and it is still a mystery whether this was intentional on the part of NSA or not.
I am a cryptographer, and this isn't so. (Score:4, Informative)
When you say "leaking bits", you're probably thinking of subliminal channels, and you're referring to some rather out-of-date information in Applied Cryptography. It's now established that all secure signature schemes have subliminal channels; they have to be probabalistic for the security proofs to work, and that's enough to give a "low-bandwidth" channel for anyone who doesn't know the signing key, or a "high-bandwidth" chanel for those who do.
DSA is a perfectly good choice here.
Re:Why DSA? (Score:2)
Can you please put a few more acronyms in your post next time?
Re:Why DSA? (Score:3, Informative)
As a professional cryptographer I certainly don't think that DSA is in any way inferior for the task in hand. It is however superior in one significant way: if you use a 1024 bit key then the RSA signature is 1024 bits, which takes 171 bytes to base64 code, while the DSA signature only takes up 54 bytes.
Open (Score:5, Funny)
Re:Open (Score:2)
Yes. And if you with hold your password, that is like withholding propritary info and not opening it up.
Re:Open (Score:2)
just itll show up eventually, after some 31337 h4x0r posts it
Re:Open (Score:2)
cat /dev/urandom | strings
Re:Open (Score:2, Funny)
*****+
Free as in Freedom (Score:5, Funny)
That's a common misconception. We have no problem with people making money from your password. It's the attempt by some to restrict freedom and keep your password all to themselves that we are against.
We would support, for instance:
Your password wants to be Free. We urge you to set aside the bondage in which your password is held and join with us for a better community.
[Gnoll mode: OFF]Re:Gnoll? (Score:2)
Yeah, or GNU+Troll.
Wrong category? (Score:2, Insightful)
Certain Information (Score:4, Interesting)
Admittely, I need to read up on this, and it's definitly an interesting idea to have a single login but I think there are some behind the scenes issues that need to be worked out.
Also the decentralized nature of the servers has me worried/confused. So if I ran one, would I have everyones authentication information?
Re:Certain Information (Score:2, Insightful)
No. Just a token. SHeesh.. i didn't even RTFA
Re:Certain Information (Score:4, Informative)
Of course, if a central signon system doesn't work for you, then don't use it.
Re:Certain Information (Score:5, Insightful)
If you ran one, you'd have only your authentication information stored on your server. Then, to authenticate to a remote server, you'd point that server to your server. The remote server would ask your server who you are, and then authenticate you (log you in). The biggest thing is that the remote server has to trust that what your server tells it is correct.
This may have a place in the blog world, where you're mainly looking for an easy way to keep your user profile the same across many blogs, but certainly not anywhere where you'd have sensitive data.
Another point, this is supposed to be authentication and not authorization. But actually, this isn't really authentication either... The difference between the two is really the question the server is asking. In authentication, the question is "are you who you say you are?". In authorization the question is "do I have the rights to perform a task?". With OpenID, the question is "who are you?". There is no verification to see if you are who you say you are (from the remote server's perspective, since there is no trust between servers), so you aren't actually authenticated.
It would be up to your server to determine what rights an open-id authenticated user would have.
Re:Certain Information (Score:3, Insightful)
Sure, you could lie about being Brad Fitz by saying "I'm Brad Fitz from Deadjournal" but then... those are two separate identities.
Re:Certain Information (Score:2)
No, authentication is "I am Nicholas Harmon, and to prove it here is my password, secure certificate, and/or biometric signature".
Re:Certain Information (Score:3, Insightful)
This, distributed authentication, lets other sites agree that you are Nicholas Harmon from Slashdot.
What have I missed?
Re:Certain Information (Score:3, Insightful)
Re:Certain Information (Score:5, Insightful)
Decentralized servers are no less secure than if you had a database table of your user authentication information for your application. With SSO, you actually don't need to know the password since it has already been handled. All you need back is the user ID and that they have been authenticated. If you choose to set one of these servers up, it isn't like people are going to start using your server to store their Online Banking information. They will be using your server only to access sites that you run.
On the flip side, if you choose to latch onto someone else's server for authentication, all you will be doing is specifying that you allow anyone authenticated by that server to access your site. You wouldn't even have as much knowledge of those users as you would if you ran your own security.
For the most part SSO is only really usefull within a small environment. Very rarely do I see a need to allow people to access more than one application with the same sign on. Something like passport is nice for the general user, but why would I want the overhead of something like that for my own applications? I'd rather have more control over things. That sort of makes this new product interesting to me, but on the other hand, most of my applications have distinct user sets anyway.
Re:Certain Information (Score:2)
Re:Certain Information (Score:3, Informative)
I'm one of the authors of CoSign [weblogin.org], which is a "traditional" Web Single Sign-on system. Really, SSO is explicitly not very useful in a small environment. SSOs are particularly useful in medium to large enterprise environments, primarily because identity needs to be tracked across many different application -- for provisioning, audit
hardware? (Score:2)
The demo didn't seem to work for me, but others are already playing with it. Kind of cool, really.
What would be *really* cool is if news websites would let us use something like this instead of having to create usernames & passwords for every news site we want to read (or w/o having to leech a login from bugmenot)
No thanks (Score:4, Interesting)
Take MS Passport for example. I log on to MSN webmessenger. I chat with some friends, then I close it down. 3 hours later I decide to log on to MSDN to grab a file, I need to log in with a different account since my messenger account doesn't have the access... fine... I do that... then a few hours later when I go to webmessenger again, I'm auto-logged on with my MSDN credentials.
The only option I have is to force all passport sites to stop caching my username/password and make me type it in everytime, thus defeating the purpose entirely.
This sort of password system is open to all sorts of problems, and not just of spoofing, or somehow being hacked and having people impersonate you... I'm more worried about logging on to some place with the wrong credentials...
Re:No thanks (Score:2)
I'll authenticate with each and every site I visit...
and
I'm more worried about logging on to some place with the wrong credentials...
Are contradictory statements. You can't have both be true.
Single Sign On is nice because authentication is easier. I didn't like passport cause I don't trust MSFT, or any single vendor. Open ID once it has stablized and been tested is a better way in theory.
So who do you trust a dozen or two different companies with variou
Re:No thanks (Score:2)
Single Sign On sounds really cool, and maybe for the majority of people it's a Good Thing (TM). But for some of us, we have multiple accounts that we lik
Re:No thanks (Score:2)
What we need is a system that every person has one identity, with multiple persona. Each persona would have privileges and accounts tied with it. Your identity should be available only to those to which you trust it, and persona as well.
Lame (Score:2, Interesting)
Pay me 25 dollars (iname) to get a name is not the same as identity
Register with your 'name' and 'email' (typekey) is not the same as identity
Single sign-on (passport, openID)is not the same as identity
Re:Lame (Score:2)
Re:Lame (Score:2)
Re:Lame (Score:3, Interesting)
For most things, the only thing that matters is that the site can determine that some entity that claims to have been there before is back. Identity
is about telling that things are the same, not about
will this work? (Score:3, Insightful)
If you really want this use something liek keychain (on a mac) but in general one password to control them all isn't such a good idea.
Re:will this work? (Score:3, Informative)
Single Signon. It is a Set Of Single Signons. You can have as many identities as you want. The difference is that without something like this, you are forced to have one identity per site, or one Passport ID. With an openID implementation, you can have any number of accounts as fit your needs. One potentially useful scheme is to have one signon for blogs and news sites, and then individual identities for each bank/etc.
yes but (Score:2, Interesting)
Re:yes but (Score:2)
they could track your movements and sell that info to marketing compaies in the same way that credit card compaines do that.
Good Luck With That! (Score:2)
Re:Good Luck With That! (Score:2)
Yes, we authenticate our Apache servers against AD (Score:2)
I do not administer the AD boxes, those guys are on a different continent, so I don't know what kind of kludges those guys had to go through to get this to work. But in view of the recent Scott McNealy - St
Re:Yes, we authenticate our Apache servers against (Score:2)
"any SSO has got to work with AD to be successful"
Not true. The Internet and Intranet are entirely different environments. One is controlled and usually managed centrally, the other is uncontrolled and managed in a distributed fashion. A solution which is appropriate for one may not be appropriate for the other.
Re:Good Luck With That! (Score:2)
any backend can work (Score:2)
It could be LiveJournal, TypeKey/TypePad, your corporate website using LDAP or AD, whatever.
A hypothetical example:
John Carmack forgets his password again, and wants to comment on a Slashdot article about rockets and Quake.
Assuming Slashdot has OpenID support, he can supply his URL: http://www.idsofwtare.com/~johnc/ [idsofwtare.com] and Id's OpenID serv
How is it going to stay "single" (Score:2)
Re:How is it going to stay "single" (Score:3, Informative)
So basically, if you're logging onto the web site where you are registered, it simply makes a local call to a local database. if y
It's not (Score:2)
Single signiture sign-on (Score:4, Interesting)
You could still have an 'id provider' that could sign the data on your behalf if you are on a internet cafe for instance, but it would not be required by design. So in 'kiosk mode' the browser could just forward signiture requests to the authority after you logged into it (which could even be your home computer).
This should be pretty easy to do as a firefox plug-in.
Re:Single signiture sign-on (Score:2, Informative)
Re:Single signiture sign-on (Score:2)
Re:Single signiture sign-on (Score:2)
It sounds like the features of OpenID are bound up in the features of FOAF, so I think the alternative you are describing is more of a tradeoff than a plain improvement.
Maybe OpenID could be designed so that ID providers are not necessary if you handle your own key pair, but it wouldn't be all as simple as you put it.
Re:Single signiture sign-on (Score:2, Insightful)
Interesting...That sounds a lot like what client-side SSL certificates can already do in most web bro
Re:Single signiture sign-on (Score:2, Interesting)
If permitted sites can access your info
Liberty Alliance anyone (Score:2)
The reason I ask is that the technology is a walk in the park compared to the much more difficult problem of trusting an external system to authenticate for you.
LID (Score:2, Informative)
Wanted: One problem. Already have solution. (Score:2)
It failed because, on the corporate side, no one wanted to hand Microsoft another monopoly, over the "electronic identification" market - Thus, really only Microsoft-run sites and a handful of "partners" accepted it. On the personal side, those who actually care about such issues abhorred the idea of having a single,
Public key authentication (Score:2)
The way my X11 is setup now all I have to do is startx, enter my password in ssh-askpass, then I can freely ssh to any server I want without entering a password. I can also ssh from there to another server, still
Why not just use SAML? (Score:3, Insightful)
Why Hasn't SAML Been Adopted? (Score:3, Interesting)
Re:Why Hasn't SAML Been Adopted? (Score:3, Informative)
SAML has been widely adopted, just not in the use case you're imagining. For B2B scenarios it is actually taking off quite well, and the US federal government is standardizing on it. [cio.gov]
Now, it hasn't caught on in the world of consumer focused web sites, which is understandable given the architecture - no consumer authenticates at an authority before accessing sites, so it only makes sense for co-ordination between
Why not just RTFA? (Score:2)
Re:Why not just RTFA? (Score:2)
distributed != decentralized (Score:4, Insightful)
distributed != decentralized!
Single signon vs same password (Score:2)
Re:Single signon vs same password (Score:2)
Can anyone tell me what the single signon hype is all about? How is single signon any different than using the same password for multiple websites?
Well, for starters you don't have to worry about different sites knowing your username and password on other sites. If you use the same username and password on all sites a sysadmin at one site can go to another (popular) site and try all their saved userids/passwds against it and will probably get access to a number of accounts. With OpenID they get a one t
Re:Single signon vs same password (Score:2)
Does that mean that with single signon, the password is stored by a third party, and the website itself doesn't know your password?
Re:Single signon vs same password (Score:2)
I know a lot of people don't want to take the time to read the article but at least read the article summary before you comment. "The site you are authenticating with never sees your username or password, just a one-time token."
Why are they calling this identity? (Score:3, Insightful)
"Identity," formally, means who you are -- the unique person with your identity. I'm not going to write my real name here, but that's my identity. No one else is me: my identity is bound to me, even if there are people with the same name.
"Identity," colloquially, means "that person I know." You may not know me by my name. You know me by "daedala." That's my handle. I always post here as daedala, so that's my consistent presense on slashdot (and my journal, and my email, and most other places I post...).
It's pretty difficult to establish a unique identity, bound to an individual, on the Internet. People screw this up all the time. It's not nearly as difficult to establish a consistent handle. From my review of this system, what it's doing is the latter.
So really, they should be calling it OpenHandle.
Re:Why are they calling this identity? (Score:2)
I'd go so far as to say that getting to know someone is the same as piecing-together a sizeable number of these facets about them, but at the e
Re:Why are they calling this identity? (Score:2)
Isnt self your real identity? Does it really matter if you're Paul Whackabee, Jonah Jackson, or Jason Voorhees?
We could argue that your DNA is self, but it isnt. When you bleed (from an injury), does your self leave there? Or on surgery, does your self go away there? Of course not.
If you were a perfect twin, are both of you the "same self"? Nope.
Logically, we must conclude your self is actually some instantaneous moment of your crystallized product of your knowledge.
That goes deeper in.. D
Identity can be decentralized, authenticity can't (Score:2, Insightful)
From my quick reading, OpenID doesn't try to do this and leaves this up to the "identity provider" which can be a centralized service or even my own home system. OpenID is more concerned with mapping whatever identity the user chooses to use consistently across the s
Multiple networks... (Score:2)
Since sites like that have a real problem with identifying people so they can sanction spammers without making it too hard for regular joes to participate, this is a valuable tool. If it can be used more widely that's a bonus... and you have already suggested one way it COULD be used more widely:
sites that perform any type of regulated or high-risk activity will have the responsibili
This is just an answer to EZboard single signon (Score:2)
It's not helpful for e-commerce, corporate intranets, campus-level signons, online banking, or spam prevention.
Competition (Score:2)
Re:Competition (Score:2)
Re:Competition (Score:2)
Wow. (Score:3, Informative)
Digital Certificates (Score:2, Interesting)
Bad Idea - People are click-happy (Score:3, Interesting)
From the sound of this, you log in to one site (your homesite) with your real username and password, and after that it uses digital signatures and a list of trusted sites to prove to that site that you are the owner of the URL.
I see several problems with this, one of them being specifically that it doesn't require a password everywhere you login. I know the point of single sign-on is to have one username and password for everything. However, think about your average user: when prompted with a dialog box asking "Would you like to trust this site?" or "Would you like to install our malicious software?", they have an uncanny habit of clicking "Yes" without thinking. I think this will become a problem as well--people authorizing any site just because it asks, and not realizing what it means in the end. Requiring password entry and making the requesting site very clear would make it much easier for users to know what they are doing.
URL? URN? URI? Email? Username? Login? Identity? (Score:2)
I don't like the idea of using URL's as an identification system. Sure, within the blogosphere, this is great since most people *are* identified by the URL's of their websites, but what about normal people? It's hard enough to explain the difference between an email address (username@host), a URL (host/resource), and a login (username and password), and it's worse that some sites use your email address to login and some use a username, but this is the worst. It means that URL's, which are supposed to rep
Only half a solution (Score:2)
It seems like this is only half a solution. All it does right now is allow responsible sites to ensure that you are the owner of a URL. It doesn't have any way (yet) to prove that you wrote a comment, or that you didn't. Basically this means it will be useless, because unless a site operator blatantly forges identities, they can change individual comments to say what they want and there's little that can be done to disprove them.
This requires an HTTP server, publickey doesn't (Score:2)
I see one major problem with this, related to the fact that it uses URL's: it requires an HTTP server. By requiring an HTTP server, it requires you to either run your own server, get a free account somewhere, or pay someone for one. Running your own is beyond the expertise of many users, and even with a nice program for it, dynamic IP's and stuff will get in the way. The problem with offering this as a free service is that there is little incentive for a site to offer the service alone. There are few ch
Another protocol, OSS needs a mechanism. (Score:2, Informative)
Globus/GRID, Shibboleth, PubCookie, LID and a legion of others are already implementing mechanisms for making assertions about an identity. The fundamental
RealOpenID (Score:3, Interesting)
Re:Suddenly.... (Score:3, Interesting)
Re:Hmmm.... (Score:2)
I'm just pondering, but I think that you would also have to consider that for a person to use your password, they would have to know the sites that you have logins for, and also they would have to know that you use the same password for everything. I suppose that's not too far out that they would suspect you use the same password, but it would be more difficult to figure out the websites you visit/have logins for.
Re:Hmmm.... (Score:2)
There is. Comparing OpenID to Passport is comparing apples and oranges, they work differently and have different purposes.
Re:Anyone (Score:2)
No, read the article and try to understand it before commenting.
Re:Anyone (Score:2)
Free services are scams.
How am I suppost to take my OpenID with me?
Run your own OpenID server using a domain name that you own.
And what keeps me from making a blog site and using OpenID. When someone posts to my site, what keeps me from getting their password?
Only your homesite sees your password.
Re:Bad idea (Score:3, Informative)
Re:kerberos? (Score:2)
Re:kerberos? (Score:2)
Re:NEEDED (Score:2)
All you need is to provide a service which allows a user to create an identity named "anonymous1234" for example. The user receives a private key and a certificate signed by your certificate authority, both of which are unique to that identity.
The user can now assert that unique but anonymous identity to other services by presenting the certificate. Those services will, of course, be selecti