Comments on: OpenID

by: SilentBob

Fri, 01 Jun 2007 13:37:54 +0000

Microsoft kind of tried it with Passport, and encouraged large sites to partner with them, and that turned out to be a fairly big failure (and is now pretty much solely used by Microsoft), so an open alternative is probably even less likely to succeed (unless people like Google spend loads of money to convince people to sign up, but Google seem quite happy to convince everyone to create a Google account and use all of their free services in return for a slight invasion of privacy). People might be more likely to adopt it if people can run their own servers, but I am curious as to what information is shared between servers to make OpenID work. And what happens if there’s a rogue server? What if an OpenID sign on is really a phishing site? Once they have your one and only password, they can go anywhere they like and log in as you.

Most people involved in IT security will tell you that password reuse is a bad thing, but a lot of people like the idea of single sign on, but the two are somewhat mutually exclusive. Remembering and typing passwords is a bit of a pain, but alternatives (certificates, tokens) aren’t convenient, and half of the web still seems happy to communicate over HTTP (take this comment, for instance).

Minotaur says, there shouldn’t need to be any connection between most sites, and I agree. But with the increase in Web 2.0 there seems to be a push for interaction between sites and convenience is often being picked over security.

As for IT people revealing their password for chocolate, I’d like to think that they revealed a password and not their password. The others probably did reveal their actual password, and it’s probably the same password they use for MSN. Fools.

by: yamahito

Fri, 01 Jun 2007 13:23:06 +0000

One advantage is that you don’t have to worry about people not knowing whether yamahito from yamahito.net is the same yamahito as yamahito.com - or worry about people registering your identity on another website before you have the chance to.

by: Minotaur

Fri, 01 Jun 2007 13:20:50 +0000

Security is definitely the big one. OpenID differs from other attempts to provide single sign-on infrastructure in that you can run your own OpenID authentication system on your own servers, unlike Passport and other similar schemes that required you to hand your life to Microsoft on a plate.

However, I’m still yet to be convinced about the value of single sign-on for the net at large. Sure, it’s great to have SSO in a corporate environment where my login applies to the computer, the phone, my email, an online CRM package, etc. etc., but in most net usage there really shouldn’t need to *be* any connection between my activities on one site and my activities on another.

I mean, would I want the readership of the asterisk mailing list being able to link me to my hentai reviews?

by: Fab

Fri, 01 Jun 2007 13:18:59 +0000

“I can’t help it, I’m a romantic fool cursed with cynicism”

LOL I like that. Although it would appear to be a very Irish/Welsh sort of thing.

The other flaw that comes to mind is the general issue of identiy theft. Nevermind giving someone your password, if they have the details of your one profile, you might as well give them your passport too! Wouldn’t this system be a similar victim to Microsoft in that if you are too successful all the hackers will go after it. Being anonymous is sometimes better security than actually being secure.