Forgot your password?
typodupeerror
America Online Privacy Security The Internet

AOL Now Supports OpenID 163

Posted by Zonk
from the making-progress dept.
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
This discussion has been archived. No new comments can be posted.

AOL Now Supports OpenID

Comments Filter:
  • by evilbessie (873633) on Sunday February 18, 2007 @06:41PM (#18062576)
    I'll have a personal Identification PIN number please, what the hell is an OpenID identifier if not an OpenID ID?
    • Re: (Score:2, Funny)

      by Anonymous Coward
      I don't see what your problem is with "personal identification PIN number"; I use mine every time I go withdraw money from the automated teller ATM machine.
    • by tepples (727027) <tepples&gmail,com> on Sunday February 18, 2007 @08:44PM (#18063196) Homepage Journal

      The joke is often repeated. But U.S. trademark law may help explain RAS syndrome. Trademarks are adjectives and should be used with a generic term, even if they contain an abbreviation of the generic term. Hence "TCBY yogurt" even though "TCBY" is "the country's best yogurt", "DC comics" even though "DC" was "detective comics", "SAT reasoning test" even though "SAT" was "scholastic aptitude test", and "SPAM luncheon meat" even though "SPAM" stood for "specially processed assorted meat" at one time. Writers pressured by trademark owners to include the generic terms in their copy tend to overextend the habit of abbreviation + generic even to cases where the abbreviation is not a trademark.

      Another cause is to disambiguate homophonic or homographic acronyms. "Put your PIN in the computer" could be misheard as "put your pin (or pen) in the computer", which could damage the machine. "Put your PIN number in the computer" has one interpretation.

      • Re: (Score:3, Informative)

        by molotov303 (182638)
        I'm pretty sure SPAM is SPiced hAM, not specially processed assorted meat.

        http://en.wikipedia.org/wiki/Spam_(food) [wikipedia.org]
      • Re: (Score:3, Insightful)

        by iabervon (1971)
        These sorts of abbreviations are often idiomatic and literally incoherent. For example, "PIN" stands for "Personal Identification Number", but it doesn't actually identify you; the account number identifies you, and the PIN authenticates you (if you were to type your PIN into a terminal without putting in a card, it would have no idea who you were). So, if people have to ignore part of the expansion to understand the term, it makes sense that they'd ignore the whole expansion, and then want a simple noun
        • Re: (Score:2, Insightful)

          by dlthomas (762960)
          "I bought some of TCBY" makes sense, you're just talking about stocks...
        • by mrdaveb (239909)
          For example, "PIN" stands for "Personal Identification Number", but it doesn't actually identify you; the account number identifies you, and the PIN authenticates you

          Good point. Lets start calling it PAN instead
    • Re: (Score:2, Informative)

      by Vexo (825223)
      Open Identification Identifier, the OpenID ID. It doesn't quite repeat itself.
    • by Nurgled (63197)
      OpenID is the technology. An "OpenID Identifier" is used to identify a user of the technology.
  • Cool... (Score:4, Funny)

    by Spyder_Snyper (1050456) on Sunday February 18, 2007 @06:42PM (#18062584)
    So the idea is pretty cool... Now that you've got an OpenID, you could go ahead and use that login on whatever else supports OpenID. The problem lies with the fact that 50% of AOL's userbase doesn't even own a computer. According to some stats that AOL released some time ago...
    • Re: (Score:3, Insightful)

      by fyrewulff (702920)
      When I worked at the library, a majority of the tweens and teens came in just to check/update their MySpace. they didn't even have a computer at home.
    • Not cool (Score:4, Interesting)

      by linuxmop (37039) on Monday February 19, 2007 @12:26AM (#18064216)
      Actually, the problem is that the OpenID specification is very poorly written and is extremely complicated. It's as though a couple of kids wanted to put together an RFC but didn't really understand how to express a specification is a logical form. If you don't believe me, just take a look; you'll see what I mean just by glancing through it: http://openid.net/specs/openid-authentication-1_1. txt [openid.net]

      Anyway, then, as kids are wont to do, they have followed it up with a series of new specifications, each one more complicated than the last. There are five specifications in draft form right now, each to cover some different aspect of what should be a fairly simple protocol. They reference and make use of HTTP, HTML, XHTML, XML, XRIs, XRDS, S/MIME, XSLT, and some other, similar ID specification called Yadis. Implementing all this thing requires gobs of software libraries (each with security holes and bugs) and expertise (and who has time to learn the latest X??? spec?). And we're supposed to believe that it's possible to do this securely? We can barely make secure web servers, much less SSI systems which require almost 100 pages of specifications, plus thousands of pages of supporting specifications!

      What's sad is that the authors are not just a couple of kids that discovered XML and had a field day. The authors are associated with companies. The primary author works for VeriSign. Presumably, he should know better than to make such a jumbled mess.

      But I think we all know what's really going on here. These idiots put together an incomprehensible specification. It is poorly defined, ambigious, and relies on lots of supporting technologies. It is impossible to implement securely, completely, and correctly. Security holes and interoperability issues will be the only real standard. And guess whose jobs are secure? Guess who gets lots of contracting jobs? Guess who is needed to write new specifications so that they can get it Right the next time?

      It's too late to turn this one around. Hopefully OpenID will die a horrible death and we'll never hear of it again. But please, please, if anyone else reading this feels compelled to write a specification in the future, learn from OpenID's mistakes and keep it simple, stupid. Because OpenID is setting itself up for disaster.
      • by Nurgled (63197)
        OpenID 1.1 was pretty simple. OpenID 2 is getting crazy, I'll agree. I've been lurking on some of their mailing lists and i can see that they're currently discussing the slimming down of the new specifications, so theyre well aware of this issue. I don't even know what XRI or XRDS is and from their mailing lists I can see I'm not the only one. I hope they'll make it a lot simpler before they publish the final version.
      • The other not cool thing is the way people are identified by URLs rather than email addresses .... a whole load of people don't really seem to grok URLs and now we are expecting them to remember more or less arbitrary "web page addresses" that do not in fact identify web pages? WTF? The stupid thing is this could be fixed by a simple rewrite convention, but they never seem to have bothered making one. I (and many others) raised it on the openid lists way back when it was just a 5-minute thing put together b
  • by Anonymous Coward on Sunday February 18, 2007 @06:51PM (#18062624)
    Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide? I certainly don't want to log onto my bank's website automatically. And in general, I don't want to reveal anything about my identity unless there is a very good reason to do so. The whole purpose of OpenID and similar technologies is to make it easier to track people. This is not the way I want the internet to develop.
    • OK, other than NOT being MS driven and a bit more open, where is OpenID conceptually different from Passport? I may have missed something here but it's again single sign on which concentrates your online identity into a single point of failure.

      So, it's more modern and has a little shiny "Open" sticker on the side, but the challenges are identical IMHO.
      • by jZnat (793348) * on Sunday February 18, 2007 @07:41PM (#18062858) Homepage Journal
        Well, anyone can run their own OpenID server to authenticate against, but to use Passport, you rely upon Microsoft's passport.net servers no matter which email address you associate with it.
        • by Tony Hoyle (11698)
          Yup anyone can run the server... and that means the servers will be run as much by scammers as by normal people. Same problem. If you didn't trust Microsoft you sure as hell shouldn't be trusting any random website.
          • Re: (Score:3, Informative)

            by maxume (22995)
            No one is pushing it as a trust mechanism. It is being pushed as a unique identifier. The idea is that if you start up a zippy website where there are some additional features if I create an account, you can let me use an OpenID to identify myself, rather than having me create a user/pass just for your site. I provide a url, and your server does some stuff to find out if I own that url, and if I do, it can use that to identify me.

            You don't end up with any more reason to trust me than if I had used a random
      • Re: (Score:3, Informative)

        But it doesn't have to run on some big evil corps servers. It's open in the sense that you can run your own server and track all of your own web surfing habits.
        • I admire the dispersed nature of the whole idea, but I fail to see the point if a logon doesn't carry a degree of associated trust. If anything, it goes against any trust model as there are too many uncontrolled parties involved who may or may not have an interest in your browsing habits. It's a bit like a store card where you get some peanut reward for given the shop/chain the ability to analyse your shopping habits in minute detail.

          So you've got nothing to hide? Fine, would you appreciate being followe
      • by sholden (12227)
        Because you can run your own OpenID provider.

        People want single sign on because it's an easier option than remembering 47 unique and secure username:password pairs, and much more secure than sharing usernames/passwords for multiple accounts.
        • Your'e creating a single attack vector for multiple sites - any site who uses the scheme will show up in a log as a site your ID/password gives access to, and a compromise of teh core service (or the section you use) will thus screw you for all those sites in one go. Not to mention the risk if someone comes up with an idea to intercept/divert the authentication traffic.

          Maybe my standards are too high, but it doesn't feel like a very good idea to me other than for very low value sites (i.e. those with no mo
          • by sholden (12227)
            Yes it's single sign on, so a compromise of the single part will of give up the ball game.

            However, I know lots of people who use the same password in all the places they don't really care about (websites like slashdot). For them a compromise of any compromises all (and a compromise could be, the person running the site takes a peak). The idea is the single sign on should be more secure than any individual site would be. And since you used the same password everywhere anyway that results in higher security.

            O
      • by jthill (303417)

        Nope. Look at this from the individual's perspective, and from the server's perspective:

        From the individual's point of view, you can casually create digital identities: no server has anything to correlate with that you don't want to give them, because making a digital identity is easy. Your privacy is as secure as you want to keep it.

        From the server's point of view: you can demand any criteria you like. No doubt there will be OpenID servers that support financial transactions by guaranteeing all digita

        • There is already a reasonable system to assure identity (reasonable totally trustworthy): the Web of Trust scheme from Thawte (the reason Mark Shuttleworth could collect airmiles in a more spectacular way :-). The WOT idea uses a points system and ID cross checks to give people certificates.

          I should know because I was one of the people authenticated into the system by Mark, but I must log in and update my data ..
    • by Frogbert (589961)
      Here is a big benefit. A single unified login will obsolete sites like bugmenot.com overnight. And I'm sure the owners of that site would be happy to see it go.
      • A single unified login will obsolete sites like bugmenot.com

        And what's to prevent the sharing of various openid logins with anyone and everyone? Nada ... so in effect it doesn't provide uniqueness. It only proves that whomever just used that login knew the proper associated password.
    • Re: (Score:2, Informative)

      by EchoD (1031614)
      From what little research I have done, it's possible to host your own OpenID server.

      [...] your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider). [...] From http://openid.net/ [openid.net]

      Which means the centralized database of your browsing habits would be on your own server. With browser history, this already exists. Sure, OpenID may not be suitable for online banking, but it would sure make things easier when it comes to making one or two posts on a forum you're rarely going to visit.

    • by MarkRose (820682)
      For pepole who post pictures, it's a great way to prove that they're the same individual that posted pictures elsewhere, and not some faker pretending to be them. This is a very common problem between yahoo, livejournal, myspace, facebook, and other networking sites.
    • by jalefkowit (101585) <jason@jasonlef k o w i t z . n et> on Sunday February 18, 2007 @08:09PM (#18063018) Homepage
      Your knee is jerking. You're reacting to the centralized authentication systems like MS Passport that we've seen in the past, which would indeed make it easier to track people. OpenID is fundamentally different in that there is no one centralized identity provider. You can use AOL as your OpenID provider, or another provider, or even set up your own OpenID server on your own hardware and use that if you can't find one you can trust -- hard to think of a scenario that would be more tracking-proof than that. Read more about OpenID [openid.net], it's not what you think it is.
      • by Dolda2000 (759023) <(fredrik) (at) (dolda2000.com)> on Sunday February 18, 2007 @09:15PM (#18063370) Homepage
        The tracking doesn't primarily depend on the authentication server's ability to log whenever you authenticate, but rather that having single sign-on drastically increases your tendency to reuse the same identity on every website you log into. In other words, cross-site tracking be done much more reliably than before.

        Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

        • Of course, many here on Slashdot could probably set up their own OpenID server that has a unique identifier for each site, but how many do you think {are going to/are able to} do that -- especially among AOL users?

          So set up your own OpenID server, and offer it free to AOL users who aren't savvy enough to do it themselves. Explain to them why they should trust you more than they trust AOL. If they want to they could use your server just as easily as they use AOL's.

          OpenID makes identity portable, which

        • by Nurgled (63197)
          OpenID 2 (whose spec is nearing completion, with implementations to follow) has a feature where instead of entering your own URL you enter just your provider's URL. Your provider can then optionally offer an option to generate a one-time gibberish identifier for that single site, which it'll remember so that you can present it again to that site next time. This will make the creation of per-site identifiers much easier, though of course it'll take some time for all of the existing OpenID sites to migrate to
    • by natrius (642724)
      Most people already use the same email address everywhere they sign up for accounts. OpenID doesn't exacerbate that problem. If you don't want websites to be able to compare login data, get multiple OpenIDs, just like you presumably have multiple email addresses.

      There are very few websites I go to where I actually care that much about privacy, such as my bank, and anywhere I purchase things. If all the other sites adopted OpenID, my life would be a little easier.
    • by Kijori (897770)

      Single sign-on across the internet is a bad idea. As more sites require it, people's web browsing habits will be tracked on an unprecedented scale. Seriously, what benefit does it provide?

      This isn't aimed at e-commerce sites, it's aimed at blogs. And it doesn't associate your browsing habits with a person, it associates them with a webpage. What it allows for is authentication and attribution of comments, articles and the like so that you know that you're talking to the same person throughout an exchange, wherever that takes place. Your bank isn't interested in knowing whether you really own fred13.blogsite.com, only in whether you're the owner of the account, so they won't be interested i

  • Has anyone got any precise insight on the difference between OpenPrivacy [openprivacy.org] and OpenID [openid.net] goals? :)
    • by Broadcatch (100226) on Sunday February 18, 2007 @09:27PM (#18063426) Homepage
      "OpenID is a simple single sign-on mechanism advanced by Brad Fitzpatrick of LiveJournal. In OpenID, your identity is a URL." - http://en.wikipedia.org/wiki/OpenID [wikipedia.org]

      Basically, OpenID provides for distributed authentication.

      IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.

      OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.

      I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.
      • Boy, that sure does sound great. XRI promises global context symbols, peer-to-peer addressing, decentralization, delegation, federation, persistence, human-friendly formats, machine-friendly formats, lightweight resolution, trusted resolution, and transport independence! Amazing!

        Too bad it's all a bunch of complicated bullshit. We don't need it, and we don't want it. Want to know why? Seven different special symbols (@, +, =, !, $, /, .), all with meaning (they "provide a simple, human-friendly way to indic
    • I hadn't heard of OpenPrivacy before, so I didn't know what it was. After having read around a bit on their site, though, I still can't say I do. It seems to be a much larger project than OpenID is. It seems indeed that they have some authentication stuff in their as well, but they seem to be doing lots and lots of other things as well.

      OpenID, on the other hand, is simply authentication and nothing more. The idea is that you only need one OpenID account. Then, when you go to a website which requires logon

  • by Phleg (523632) <stephen@touset. o r g> on Sunday February 18, 2007 @07:12PM (#18062706)

    One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.

    Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      spoof? Hell they won't need to spoof anything. AOL user will surf to a pr0n site, pr0n site will say "enter your openid to get 100% full free access!!111" or some such crap. AOL user will WILLINGLY give away their id to see pr0n.
      • Enter your openid? Enter a URL? How will that 'give away their id'?
        • by Tony Hoyle (11698)
          duh. Because once someone has their openid they have the id for *all* their websites.
          • by Kijori (897770)
            The openid is just the "username". It has to be authenticated before it can be used, and what that authentication involves is up to you, or whoever you delegate the running of your openid account to. You want it to ask for a 30-digit passphrase, 2 part authentication or biometrics? You can. This is only less secure than normal if you set up your backend system to be insecure.
          • So how is that different than spoofing? Remember, the parent said:

            spoof? Hell they won't need to spoof anything. AOL user will surf to a pr0n site, pr0n site will say "enter your openid to get 100% full free access!!111" or some such crap. AOL user will WILLINGLY give away their id to see pr0n.
            If they ask for the openid login information (as opposed to just the user's openid login URL), then they are effectively spoofing.
    • There is a solution: Authenticate your OpenID once, manually. You could even do it with a browser extension. Then, whatever they spoof, they won't be able to authenticate as you to anywhere else, only to the site you're trying to login to.

      To put it in really simple terms, they'll get your username, but not your password.

      By the way, we already have this problem. If someone steals your identity (social security number, etc), they can use that to gain access to most things you have, including your bank. The tr
    • by Kijori (897770)

      OpenID is as secure as you make it; you control the "backend" and you choose how much it's going to do to check it's you before it tells the website that it is. If you want convenience, it might always authenticate you if you're on your home IP, or if you've got a particular cookie. If you want security, it could ask for a username and password, or 2-factor authentication. You could require you to digitally sign a random piece of plaintext, supply biometric data and scan in 3 proofs of address, the security

    • by Nurgled (63197)
      Centralizing your "login page" worsens the problem but it also offers several solutions. For example, a browser plugin (and hopefully later, a browser feature) can be configured to make it extremely obvious to the user that they are on the correct site when it's time to present credentials, because there is only one correct answer. Also, it's much easier to make use of new-fangled authentication schemes in place of usernames/passwords when they become available since only the OpenID providers have to implem
  • by smack.addict (116174) on Sunday February 18, 2007 @07:25PM (#18062762)
    OpenID is the phisher's dream. I honestly don't get what would motivate someone to implement this specification.
    • by Broadcatch (100226) on Sunday February 18, 2007 @09:38PM (#18063488) Homepage
      multiple answers, but here are two:
      1. use OpenID to verify those you know (or their membership in a community you trust) - don't use it for "verification" of a service you know nothing about
      2. Microsoft's CardSpace (InfoCard) protocol can provide a simple mechanism to support this verification
      Once the trust is created, then you can use the XRI capabilities of OpenID 2.0 to provide sophisticated profile data sharing and/or service access authorization. But you are correct: if you're the kind of person who sends money to spammers, OpenID alone will not help you.
    • I'm not sure exactly what you're referring to, but I would argue it is the other way around. If you use OpenID to sign in to a spoofed site, you're safe, because they can't use that info to sign in to the real site themselves. If they're spoofing your OpenID server, then, to be honest, people would be fooled just as much or little as they would be without OpenID. On top of that, OpenID allows you to do neat things like SSL client certificate or Kerberos authentication or anything else that cannot be used by
  • The fact that you cant even get a nick like DirtyTurtle278346812376 because it is already taken, why the hell would it be a good thing for something like OpenID to be poluted by AOLs obnoxious user list?
    • by jZnat (793348) *
      Because you can use your own domain name behind the OpenID server you run. Even if you think that all the good domains are taken, remember that there are a ton of ccTLD's you can use (especially in countries that don't use the Latin alphabet).
    • by pelrun (25021) on Sunday February 18, 2007 @07:47PM (#18062898)
      AOL's openID's are all in AOL's namespace; DirtyTurtle278346812376.aol.com isn't going to prevent you having DirtyTurtle278346812376.myopenidserver.org.
  • by jalefkowit (101585) <jason@jasonlef k o w i t z . n et> on Sunday February 18, 2007 @08:28PM (#18063114) Homepage
    The story is even bigger than the summary makes it out to be. It's not just AOL users who have an OpenID -- anyone who uses AOL Instant Messenger is included, too, as is anyone who uses AOL's "Journals" blogging platform. Both these services are free, and AIM especially is used by a far wider and more technical group of users than the term "AOL users" would suggest. (You /.ers who use AIM via Gaim, for example? You've got OpenIDs now.)
    • When are they going to reimplement AIM via Jabber, so that AIM users can easily talk to Google Talk users and everyone else?

      That would leave only Yahoo and MSN...

      But really, it seems obvious to me that they are not implementing OpenID because they like open standards. Otherwise, why aren't they actually using open standards elsewhere?
      • by Dan Ost (415913)

        Implement an open standard when there is no compelling reason not to.

        The fact that Jabber doesn't offer any advantage over their already implemented and established AIM protocol
        might be a compelling reason for them not to sink resources into it.
        • Except the advantage of being interoperable with every other IM service out there that decides to use it.

          Is there actually a compelling technical reason to use their AIM protocol instead of Jabber? Because I can think of a couple of compelling reasons to use Jabber instead of AIM.
          • by Lehk228 (705449)
            it's about control if they enable a fully open jabber server as the backend for AIM someone will register a name like AOLCustomerService@techsupportteam.net and scam the AOLamers out of their passwords, then use the passwords to send spam to people on that buddy list.
            • So I can't currently register AOLCustumerService?

              Get it? Look at that nick closely...

              I imagine "AOLamers", who can't even spell "you" properly, wouldn't notice that, either. And besides, what's stopping people from doing that already with email?

              You are right about one thing, though: It's about control. If it was a fully open Jabber server, people might actually start switching off of AOL's servers, even if the majority of their buddy list is still on AOL -- which means eventually, fewer people that AOL can
              • by Lehk228 (705449)
                last i knew, you can't have AOL in your screen name
                • You definitely can't have AOL in your name, I'm not sure you can even have Service in your name. (I know things like Support and Billing are out as well)
                  • Which is only a band-aid, really. Misspell support, you don't even need AOL.

                    The way to deal with people who fall for phishing schemes is not to coddle them, but to let them get stung and hope that teaches them their lesson. Or we could simply start taking the warning labels off of things, and let natural selection take its course -- "Do not stop blade with hands or genitals."
  • Uh oh (Score:5, Funny)

    by Conspiracy_Of_Doves (236787) on Sunday February 18, 2007 @08:37PM (#18063162)
    The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology.

    I think I see the flaw in your plan.
  • by hey (83763)
    Most talk about OpenID is on the big Internet but I thing it could be used within a big company's Intranet quite nicely. There are always diverse systems that require logins. LDAP is the current "solution" but its quite a pain.
  • Everybody else does and it is managed by the friendly revenue service for the benefit of all Americans. There is no need to invent a new set of numbers... ;)
  • This all seems well and good, but wouldn't it be trivial for someone to pull a DNS cache poisoning stunt and redirect openid.mydomain.com to their servers instead? From what I recall of SSL/TLS the thing that prevents this from happening is if one has a certificate and the client implementation actually bothers to check it ... but nobody has a certificate, they're expensive and a pain in the arse.

    So, seriously, what stops this from being the most exploitable authentication system ever?

    Dave
    • If you are vulnerable to DNS poisoning then OpenID is the least of your worries. Just unplug your computer.

      BTW, I think prominent OpenID providers like VeriSign, AOL, and SixApart can afford SSL certificates. Heck, VeriSign can give themselves a cert for free. :-)
  • Here are several reaons that I wouldn't implement OpenID

    1. I'm relying on a third party to authorize a person. A potentially untrusted third party. Some sites have credibility already (livejournal.com, aol.com even if AOL does suck), but as I understand it, ANYONE can create an OpenID server.

    So, what's to stop someone from creating one that authorizes any username/password given to it?

    2. It really messes up my database normalization. Handling local users and remote users would take more database tables,
    • by 3247 (161794)

      1. I'm relying on a third party to authorize a person. A potentially untrusted third party. Some sites have credibility already (livejournal.com, aol.com even if AOL does suck), but as I understand it, ANYONE can create an OpenID server.
      You're not supposed to authorise people with OpenID. OpenID only authenticates.
      • You're not supposed to authorise people with OpenID. OpenID only authenticates.

        Authentication infers authorization. You authenticate to gain authorization to do something.
    • 1) Nothing. What's to stop someone from creating a new username and password each time they visit your site?

      2) Don't work in terms of "local" users in your database. Work in terms of OpenID identities—or "remote" users as you put it. Require your local users to enter their full identity URI of http: //username.VGPowerlord.rofliron/[1]—or, as a shortcut, if only a username is entered, add the implicit domain name and hand the full, canonical identity URI to your login/logging/user-management

  • I'm certain OpenID would be more widely adopted, if actually setting it up weren't such a PITA. I've tried it twice, and at least for the PHP libraries, there are numerous inconsistencies, lack of documentation and version conflicts, that unless you're devoted to the idea, the approach of "heck, why not, it's nice to have" doesn't give you enough incentive to get it done. I've tried a third time just today, using the Wikimedia OpenID extension, and no luck. Segmentation fault, no docs explaining more than t
    • I'm certain OpenID would be more widely adopted, if actually setting it up weren't such a PITA. I've tried it twice, and at least for the PHP libraries, there are numerous inconsistencies, lack of documentation and version conflicts, that unless you're devoted to the idea, the approach of "heck, why not, it's nice to have" doesn't give you enough incentive to get it done.

      I think I see your problem. PHP libraries have numerous inconsistenceis, lack documentation, and have version conflicts.

      • by Tom (822)
        The OpenID PHP libraries, yes. The fact that other PHP extensions are just as bad doesn't make it any better, does it?

Facts are stubborn, but statistics are more pliable.

Working...