OpenID Foundation Embraced by Big Players

An anonymous reader writes "The OpenID Foundation has announced that Google, IBM, Microsoft, VeriSign and Yahoo! have all joined its board. It's exciting to see OpenID being embraced by such large players, but its also a concern that such big corporates are now directly influencing the fledgeling foundation. 'Today there are over a quarter of a billion OpenIDs and well over 10,000 websites to accept them. OpenID has grown to be implemented by major open source projects such as Drupal, cornerstone Web 2.0 services such as those by 37signals and Six Apart, as well as a mix of large companies including as Apple, Google, and Yahoo!. Today is about truly recognizing the accomplishments of the entire OpenID community which has certainly grown beyond the small grassroots community where it started in late 2005.'"

A quarter _BILLION_?

Not only do I not have an OpenID, I've never even seen an OpenId login! Until it really starts getting around, I seriously doubt the quarter billion number.

Re:

Yeah, this is the first I've heard of it too. I just don't understand how one ID everywhere is a good thing on the internet.

Re:A quarter _BILLION_?

<sarcasm> Oh, well, if it's designed to solve a specific problem with well-thought out requirements, then it must be totally limited, b0rken, teh sux0rz, and it will never work.
It has to have universal acceptance, be all things to all people, completely simple and yet so secure that Schneier worships it, or it will get no traction in the market. </sarcasm>

Re:A quarter _BILLION_?

I have to say I'm shocked there are so many people piling on this anti-identity bandwagon. Don't you people understand that the purpose of OpenID is to allow you, the user, to control your own identity and the information companies are allowed to collect about you? (As opposed to right now, where sites ask you to sign up and provide X info to create an account and you either provide it or don't get on?)

Identity management allows you to control your Internet presence in one single place, and acts as a single gateway for you to allow or disallow sites to know about you and collect information about you. This is a good thing people. It's secure. It promotes security...real security. It also promotes anonymity when you want it. Unlike Facebook where you add 50 apps and leave all the boxes checked and then have to page through one app by one once you understand the impact of those boxes...

Don't knock something till you understand it. Someday the intarwebz will be open id powered.

Re:A quarter _BILLION_?

Are you sure you don't have an OpenID? If you have a LiveJournal, you have an OpenID [livejournal.com]. If you have a Yahoo! account, you have an OpenID [yahoo.net]. If you have an AOL account, you have an OpenID [aol.com].

Re:

It is. Every account on Livejournal is also an OpenID account. It makes sense since the founder of LJ is also the founder of OpenID.

Re:A quarter _BILLION_?

Yahoo! and AIM logins are OpenID logins, whether the users are aware of it or not.

The number is accurate. The assumptions you're making about the meaning of the number are not.

Re:

No, you are mixing up OpenID providers with OpenID relying parties. Yahoo and AOL are both OpenID providers, which means that if you have an account with them, then you have an OpenID. The sites you log into are OpenID relying parties, which means that if you have an OpenID you can log into them.

Yahoo and AOL don't have any services that are OpenID relying parties as far as I know (AOL say they are "actively working on it"). But you can use Yahoo and AOL OpenIDs to log into an OpenID relying party, f

Re:Well...

No, listen. You're wrong. This has nothing to do with sharing users, it has everything to do with YOU not having to create YET ANOTHER LOGIN. OpenID is about YOU not about the companies implementing it sharing users.

This isn't a trivial thing to understand and I encourage you to read up on OpenID.

Here's, in a nutshell, what it means. You have a Yahoo! or AOL account (so, you have a login & password, that you can remember). When you want to start using a product at 37signals, like basecamp or highrise, or whatever - you can CHOOSE to use your OpenID. You still have to sign up with 37signals, you still have to PAY 37signals, but you don't get another login & password.

When you provide your OpenID to 37signals, the APIs they use will ask your OpenID provider (e.g. Yahoo! or AOL) if you're authorized, your OpenID provider will ask YOU if you want to authorize 37signals, and you'll say YES.

That's it. Trust is setup, you've been in control the whole time, and now you can access your 37signals account without ever having created a new username & password.

It really, really is powerful. And it really, really is not trivial or necessarily easy to understand. But it works, and folks are getting on board with it.

Cheers,
[/rant]

Re:

keep their own journal

I don't think that's too much of a problem - if you're using a site enough to be doing something like keeping your own journal, it's not too much hassle to get an account. It is hassle to get an account just to make a single comment, which is the major hurdle OpenID overcomes.

join a community

I agree, this limitation seems a bit strange, especially as they allow OpenID users to keep friends lists.

comment on posts that have restricted comments to LiveJournal users

Although that's a choice that's up to the journal owner. They had to have that really, as originally there was the option to disallow anonymous comments, but for backwards compatibility, I think OpenID would have to fall into the same category. But it would be nice to have an option that says "Allow LiveJournal or OpenID comments, but not anonymous".

But setting up an OpenID server that automatically authenticates anybody who types in that url (does not attempt to verify identity) is trivial. Any such URL is then an anonymous OpenID. That more or less would defeat the point, would it not?

Secure?

Is it really all that secure to have one username and password for every website you go to? I would imagine there'd be privacy concerns as well.

Re:Secure?

Very secure. Think about it- that means that every scummy admin on the internet doesn't have access to your password. You don't need a "junk websites that probably sell my username/password" tier, since authentication is handled by openid and not the scummy web server itself.

Re:Secure?

The way OpenID works (the "for dummies" version) is you go to a service which supports it and tell them "I'm Joe Joe from joejoe.com". The service then goes to joejoe.com and checks for the information there that would tell the service who to contact to verify you. It could be at joejoe.com itself, it could be openid.randomguy.com. It doesn't matter.

After the service knows who is allowed to verify that you are Joe Joe from joejoe.com, it asks them to do it. How they do it is entirely up to them. They could use a password/username. They could use a 32 point authenticaion scheme that at some point requires your mom to log in and ask you questions. It doesn't matter.

Once they've verifed you are Joe Joe, from joejoe.com, they tell the service that. Now, if the service considers itself 'high security' they can always do some extra checking before it logs you in fully (and some do). But if it's 'just Slashdot' then that's all that needs to happen.

So, someone hack your account with the group verifying you? Change authentication methods.

If you are implementing your side of OpenID correctly (and no it's not a given that you are) you have control over who verifys you as you and simply need to setup a different group to do the verification. YOU are in control of that. Unlike things like MS Passport, where you have to trust Microsoft not to foul up.

Of the single login setups I've seen OpenID is the best implementation I've run into. Yes, single sign on is inheritantly less secure than multiple sign ons, ASSUMING the authentication layer is equivalent across the board.

BUT, and this is the catch, YOU pick the level of authentication with OpenID. You get to decide how secure is secure, if you think it's ok to just go with a username/password. Then that's your choice and you can do that. But if you would prefer to go 'Fort Knox', it's entirely possible for you to do so, because you get to choose who does the authentication and therefore what authentication is being done.

Re:Secure?

Also, there is one 'higher class' authentication layer implemented already, mentioned on episode 107 of security now podcast http://www.grc.com/securitynow.htm [grc.com] :

Verisign has an OpenID implementation, https://pip.verisignlabs.com/ [verisignlabs.com], with a plugin for firefox that makes it easy to manage signing into sites.

Verisign's implementation is already behind the paypal and ebay security fobs, and if you get a pip account, you can buy one and use it for secure authentication everywhere. They cost $30 from verisign, but only $5 from paypal: http://paypal.com/securitykey [paypal.com]

Re:

You can create a OpenID and password for each site you visit.

Sure. Of course. Um... remind me why I need an OpenID again?

Re:Secure?

Fine, but what happens once somebody does get your username and password, let's say a keylogger, or one of these fake banking sites designed to steal your password. Now they can get into everything.

For practically everybody, this is already the case. At present, the username and password they need to crack are for your email account. Then they can access all your other accounts by extension via their forgotten password features.

So the downside of OpenID is a downside that is already present. Something to think about, for sure, but hardly a deal-breaker that should prevent adoption.

Re:Secure?

Is it really all that secure to have one username and password for every website you go to?

This isn't about having one password. This is about having one account. There's ample opportunity for improved security without the need for passwords. Have your OpenID provider authenticate you via an SSL cert on your USB flash drive if you want, or even via fingerprint recognition, you or your provider can implement whatever level of security you need and there's no need for the relying parties to mess about with their authentication system to accommodate you, it all just works automatically with any OpenID-capable website or web application because it's the OpenID provider doing the authentication, not the websites or web applications themselves.

Websites and web applications are relatively limited in what they can offer in terms of authentication options. OpenID allows people to experiment with alternative authentication schemes without having to drag websites and web applications along with them.

Re:

https://certifi.ca/ [certifi.ca] actually offers a free provider that works with any SSL certificate. As you point out, this makes phishing almost impossible. You need a certificate from somewhere else, but there is a list of certificate providers on that site, some of which are free. There is one other provider I know of that offers this, but I couldn't get their service to work.

Support on Slashdot?

But the big questions on everyones lips are: "Will Slashdot support OpenID?", and "Is Anonymous Coward already taken?".

Re:Support on Slashdot?

I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database.

There's no "OpenID database", it's decentralised. If you use your Yahoo OpenID on a website, that website sends you to Yahoo, where you are authenticated against the same Yahoo database that you've always had your account details in. When Yahoo decides you are who you say you are, they send you back to the original website. Your username and password haven't gone anywhere.

Licensing

As Brad Fitzpatrick (the father of OpenID) said, "Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community."

(from http://openid.net/what [openid.net] , emphasis mine)

I'm no expert on such things, but wouldn't you want an extremely restrictive license, to prevent providers from "improving" the concept and breaking interoperability? Or having the more "trusted" providers begin charging for the service? Although I suppose this depends on Fitzpatrick's definition of liberal.

More Info Here

http://www.plaxo.com/api/openid_recipe [plaxo.com]

As someone that used to work for a company that developed strong authentication systems, I can tell you that big-business has been having some kind of orgasm about this for quite a while now.

The typical big-dreamer sees "identity" as a problem of too many logins/passwords. Yahoo and IBM have different customers, but similar goals simplifying authentication/identity for their customers. As usual, Microsoft is conspicuously absent because they think they've got the proprietary solution already.

When will the big players accept other's OpenIDs?

I've got at least two or three OpenIDs now. One I paid for (actually an i-name, but those work as OpenIDs in OpenID 2), and one for free from AOL because I have an AIM account. Yahoo will give me one because I have a Yahoo account.

OK, that's nice. But how do I get Yahoo to accept my i-name or my AIM OpenID? On Yahoo's OpenID setup page, I only see options for creating my Yahoo OpenID.

I'm not going to count the big players as embracing OpenID until I can tie any one of my existing OpenIDs to my account.

Re:

Talking about FUD, it seems you are the guilty one here. here is some facts for you: 1) Passport has nothing to do with CardSpace. 2) CardSpace does not rely on Active Directory. Totally false FUD. CardSpace (as implemented in IE) insists on using a seperate "desktop" to avoid potential spoofing when you decide which card to "hand over". The "cards" are NOT kept in AD. Plugins exists for FF as well. 3) CardSpace is a totally open protocol which - unlike OpenID - ensures your anonymity across websites. 4) C

Re:

I thought that too at first, and then I "got" it: Right now, every website I go to, I create a new account. New account, new password, new entry in my passmanager. I usually use the same login name/user name, for simplicity's sake. You probably do this also.

Now, I can use OpenID to stop dealing with my passmanager! I can get the same login name everywhere. If I want the simple route, I simply use diggity.myopenid.com. If I want the advanced "I control it all" route, then I can host it myself using