AOL Now Supports OpenID

Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."

Re:Why would we want OpenID?

[Anonymous Coward]

Due to the way OpenID works, only your OpenID provider may track where you sign on. And also due to the way OpenID works, you can also be your very own OpenID provider! (if you can register a dns domain, of course).

This means in fact only your computer will know where do you login on to, which is as secure as you want it to be.

Re:Why would we want OpenID?

[Wesley Felter]

If you sign on to multiple sites with OpenID, they can compare their databases to correlate logins. For example, if you tell one site that your girlfriend's name is Marla and you tell another site that your hobby is making soap, then the sites can combine this information.

Re:Or: how is this different from Passport

[jZnat]

Well, anyone can run their own OpenID server to authenticate against, but to use Passport, you rely upon Microsoft's passport.net servers no matter which email address you associate with it.

Re:Or: how is this different from Passport

[complete loony]

But it doesn't have to run on some big evil corps servers. It's open in the sense that you can run your own server and track all of your own web surfing habits.

Re:Why would we want OpenID?

[EchoD]

From what little research I have done, it's possible to host your own OpenID server.

[...] your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider (which you can run yourself, or use a third-party identity provider). [...] From http://openid.net/ [openid.net]

Which means the centralized database of your browsing habits would be on your own server. With browser history, this already exists. Sure, OpenID may not be suitable for online banking, but it would sure make things easier when it comes to making one or two posts on a forum you're rarely going to visit.

Re:Christ. We're all doomed

[pelrun]

AOL's openID's are all in AOL's namespace; DirtyTurtle278346812376.aol.com isn't going to prevent you having DirtyTurtle278346812376.myopenidserver.org.

RAS syndrome and U.S. trademark law

[tepples]

The joke is often repeated. But U.S. trademark law may help explain RAS syndrome. Trademarks are adjectives and should be used with a generic term, even if they contain an abbreviation of the generic term. Hence "TCBY yogurt" even though "TCBY" is "the country's best yogurt", "DC comics" even though "DC" was "detective comics", "SAT reasoning test" even though "SAT" was "scholastic aptitude test", and "SPAM luncheon meat" even though "SPAM" stood for "specially processed assorted meat" at one time. Writers pressured by trademark owners to include the generic terms in their copy tend to overextend the habit of abbreviation + generic even to cases where the abbreviation is not a trademark.

Another cause is to disambiguate homophonic or homographic acronyms. "Put your PIN in the computer" could be misheard as "put your pin (or pen) in the computer", which could damage the machine. "Put your PIN number in the computer" has one interpretation.

Re:redundant acronym syndrome RAS

[Vexo]

Open Identification Identifier, the OpenID ID. It doesn't quite repeat itself.

Re:RAS syndrome and U.S. trademark law

[molotov303]

I'm pretty sure SPAM is SPiced hAM, not specially processed assorted meat.

http://en.wikipedia.org/wiki/Spam_(food) [wikipedia.org]

Re:It's phishing time!

[Broadcatch]

multiple answers, but here are two:

1. use OpenID to verify those you know (or their membership in a community you trust) - don't use it for "verification" of a service you know nothing about
2. Microsoft's CardSpace (InfoCard) protocol can provide a simple mechanism to support this verification

Once the trust is created, then you can use the XRI capabilities of OpenID 2.0 to provide sophisticated profile data sharing and/or service access authorization. But you are correct: if you're the kind of person who sends money to spammers, OpenID alone will not help you.

Re:Or: how is this different from Passport

[maxume]

No one is pushing it as a trust mechanism. It is being pushed as a unique identifier. The idea is that if you start up a zippy website where there are some additional features if I create an account, you can let me use an OpenID to identify myself, rather than having me create a user/pass just for your site. I provide a url, and your server does some stuff to find out if I own that url, and if I do, it can use that to identify me.

You don't end up with any more reason to trust me than if I had used a random hotmail email address, but I avoid creating another damn sign in just to get 'account' features on your service.

This is the whole point

[mrcaseyj]

So? If someone tells you their openid (or you setup a spoof website to get it) then you have access to their entire life too, if this becomes popular.

It seems OpenID prevents this problem. With OpenID the only thing you give to the websites you login to is your URL (such as https://aol.com/cooldude [aol.com] ). You can even give your URL to your enemies. You never give your OpenID password to any site except AOL, or if you run your own OpenID server, you never give your password to anyone at all. If I understand it right the whole encrypted procedure goes something like this:

You're trying to login to example.com

Example.com says: Who are you?
You say: I'm "https://aol.com/cooldude"
Example.com asks AOL: Is this guy really cooldude?
AOL sends a message to you asking: Example.com says you're trying to log on, is it really you?
You say to AOL: Yea it's me, here's my password to prove it.(AOL doesn't tell example.com your password. Also you save the hassle of entering your password for any site if you already logged in to AOL, like at the beginning of each day.)
AOL says to Example.com: Yes we verified it's cooldude.
Example.com says to you: Hi cooldude from aol.com, we've verified it's you again. Welcome.

Note that if you log into AOL at the beginning of the day, then for you this whole procedure boils down to you just entering your URL to login and then pressing a button from AOL to authorize the login.

Some advantages and disadvantages are:

You can use one username and password for every site and you only have to enter your password once a day.

If you used the same username and password at a lot of sites before, then with OpenID you don't have to worry about your password being compromised on one site by lax security or a crooked site owner(like a phisher) and then having your accounts compromised at all the other sites.

I'm not sure about the privacy issues. If your OpenID provider allows it(or if you set up your own server) you could set up an unlimited number of ID's (eg cooldude2, cooldude3, etc.) I don't see how you would be giving up any more privacy than any other system. And if your provider allows it you could save a lot of trouble and use the same password for all your IDs. Your OpenID provider could track which sites you log into, but you could just be your own provider or choose one you trust not to track you. Of course the sites you log into could require only certain OpenID providers like AOL, Microsoft, Verisign, etc. You might not be able to use your own server. Sites might only accept OpenIDs from providers that use strong identification, like Paypal's requirement that you control a checking account to be confirmed, because banks in the US are required by law to get ID before opening a checking account(says Paypal).

If sites only recognize OpenIDs from certain providers, at least the list of providers would likely be more inclusive than something like Microsoft Passport which has only one provider.

OpenID providers might differentiate themselves on their security. Verisign for example may try to claim that their OpenID service (if they had it) is secure enough to use for bank logins.

Re:Why would we want OpenID?

[Solra Bizna]

Because two different people couldn't possibly use the same username at different locations, of course.

-:sigma.SB