AOL Now Supports OpenID 163
Nurgled writes "On Sunday John Panzer announced that AOL now has experimental OpenID server support. This means that every AOL user now has an OpenID identifier. OpenID is a decentralized cross-site authentication system which has been growing in popularity over the last few months. AOL is the first large provider to offer OpenID services, and though they do not currently accept logins to their services with OpenID identifiers from elsewhere, they are apparently working on it. The next big challenge for OpenID proponents is teaching AOL's userbase how to make use of this new technology."
Re:So?? (Score:3, Insightful)
Why would we want OpenID? (Score:5, Insightful)
Re:So?? (Score:3, Insightful)
The problem with single sign-on... (Score:5, Insightful)
One major problem I see with this sort of initiative is spoofing of your provider's sign-in page. Unlike spoofing in its current form, if someone was able to get the password for your OpenID provider, he'll have access to every single one of the accounts you've used that ID with. It's putting all your eggs in one basket -- with the way everything is currently handled, your sign-on information to an individual site may be compromised, but you won't lose everything else.
Is there a solution to this kind of problem, or is OpenID really only targeted to low-risk authentication; i.e., for forums and social networking sites?
It's phishing time! (Score:5, Insightful)
Re:The problem with single sign-on... (Score:2, Insightful)
Re:Why would we want OpenID? (Score:2, Insightful)
To continue your analogy, I wouldn't necessarily want to publish my girlfriend's name on the soap-making forums I frequent, even if I considered it silly to avoid mentioning it on, say, a friend's personal blog. As the internet is organized today, this is less of a problem because identities are not interlinked by default: unless I sign up under my full name on the soap-making forum, no one will ever know that "SoapFan2143" is the same person as "Joe Random". If things like OpenID become standard, our hypothetical shy soap-maker would either have to be "that guy who probably has something to hide because he didn't want to sign up with a real identity", or go to ridiculous lengths like making up fake names and identities just to maintain some privacy on a hobby forum.
It's perfectly understandable that people don't want sites to automatically combine various pieces of information about them. Many people who e.g. post in newsgroups already find it highly creepy what random stalkers can find out about them from simple googlings, they don't need an automatic system to stalk them as well.
Re:Cool... (Score:3, Insightful)
Re:Why would we want OpenID? (Score:5, Insightful)
Re:This is a huge blow to privacy on the net... (Score:4, Insightful)
Re:OpenID vs OpenPrivacy? (Score:5, Insightful)
Basically, OpenID provides for distributed authentication.
IMO, what makes OpenID interesting is that in the 2.0 protocol, XRI (i-names) have been included, which opens the door to enabling selective, authenticated authorization of access to services, be it as simple as the ability to contact me (I would allow any parent of a child in my kid's pre-school class to phone me) or as complicated (eventually) as any contract you can imagine.
OpenPrivacy, on the other hand, assumes such services as a starting point, which is why I suspended development of OpenPrivacy in 2002 and began working on XRI/i-names. OpenPrivacy will use sophisticated techniques such as zero-knowledge proofs to enable distributed reputation providers and truly pseudonymous identities that cannot be traced to their owner (unless such verification is mutually requested), but it requires strong, secure identity as a starting point.
I look forward to creating grassroots i-names-enabled communities soon (starting in March, if all goes well) and eventually getting back to my OpenPrivacy roots - which is where (IMO) things start getting really interesting.
Re:Lovely knees you have ... if anything. (Score:2, Insightful)
If I go to a blog and enter a comment with the name Kelly Clowers and give my website as www.clowersnet.net/~krc/, how do you know that I am really the Kelly Clowers who owns that website? This example is one of the original use cases for OpenID.
Now anyone can google Kelly Clowers and if an OpenID post turns up in the results, you can be fairly sure it was really the owner of www.clowersnet.net/~krc/ (which is presumably me, since that website specifically mentions this account (which is a solution that can work for main accounts, but I don't really want to list every one-off comment I ever made on random blogs)). Of course, a page could be hijacked, but the point is that imitating someone is not as trivial as entering someone else's name and website.
Not being tracked when you don't want to be tracked could be an issue if websites started accepting *only* OpenID, but I haven't seen anyone do that yet, and I doubt many will ever do that. And I don't think OpenID is really intended for online banking and shopping and the like. Also, if you don't want to be tracked, you could set up a second OpenID account that does not link to your primary account or to your real name.
Re:RAS syndrome and U.S. trademark law (Score:3, Insightful)
Also, in the case of TCBY, "TCBY" is actually a company, not yogurt. For that matter, using the abbreviation as if it were the expansion would be very strange; you'd have to say "I bought some of TCBY", because "I bought some the country's best yogurt" is clearly ungrammatical. If you're ignoring the fact that it starts with "the", you have to ignore the fact that it ends with "yogurt", too, and treat the term as unanalyzable.
Re:RAS syndrome and U.S. trademark law (Score:2, Insightful)
Re:Why would we want OpenID? (Score:3, Insightful)
Nothing, that's why OpenID is really no better or worse than the status quo when it comes to privacy.
Re:This is the whole point (Score:3, Insightful)