LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux, with hardware accelerated OpenGL!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

OpenID 2.0 closing in on acceptance

OpenID 2.0 closing in on acceptance

Posted Nov 1, 2007 11:17 UTC (Thu) by jmtapio (guest, #23124)
Parent article: OpenID 2.0 closing in on acceptance

I am a bit disappointed in OpenID. So far it has not matched the expectations that I have for an identity system. It does not have pretty much any trust built in by default because of the loosely coupled model. Anyone can set up an identity provider or a service provider and they have no one to answer to (so there is no built in way to handle hostile services, sounds like smtp in it's day). And one of the potentially nasty things is that OpenID gives the web sites an easy primary key that they can use to cooperate with other sites and pull a lot of combined knowledge about the user. I personally am not keen of the idea.

But I must admit that I am biased from having worked for quite some time implementing Liberty Alliance protocols on various applications. And since Liberty does provide a lot of these qualities that OpenID is missing, I am having a hard time accepting that OpenID's loosely coupled model is really worth it in the long term.

(Log in to post comments)

OpenID 2.0 closing in on acceptance

Posted Nov 1, 2007 23:16 UTC (Thu) by jamesh (subscriber, #1159) [Link]

Your disappointment seems to stem from a misunderstanding of OpenID's purpose.

OpenID fills a similar role to the email-based authentication found on many sites (such as LWN):

  1. Users give an email address when signing up, and have to prove that they own the email address by e.g. clicking a link in an email sent by the site.
  2. Certain operations such as resetting a forgotten password require the user to again prove that they own the email address.

None of this tells the site that they should trust the user -- just that they control the email address. Any further trust will have to come from some other source.

OpenID fills a similar role, except that the user is proving that they own a URL rather than an email address. Given the potential downsides of providing your email address to a 3rd party (spam), users might be more willing to sign up with an OpenID.

As for the issue of sites correlating user information using their OpenID as a primary key, this is no different to sites correlating user information by email address.

It is true that a privacy concious user could provide different email addresses to each sites as a countermeasure, but then they could also use a different OpenID for each site too. And with the directed identity feature of OpenID 2.0, it'd even be possible to automate this.

OpenID 2.0 closing in on acceptance

Posted Nov 2, 2007 10:18 UTC (Fri) by jmtapio (guest, #23124) [Link]

OpenID fills a similar role to the email-based authentication found on many sites (such as LWN)

I am aware of the niche that OpenID is trying to fill, and it is certainly not a terribly bad solution for that specific problem, certainly it is a better solution than using just email. Though it remains to be seen if some infocard-derivate could become a reasonable competitor for that specific problem.

I was not clear on this but I think the main reason why I am disappointed in OpenID is that I find that it is aiming too low. There are a lot of interesting problems that can be handled with SAML 2.0 and similar stuff, but for which OpenID is inadequate.

So I do prefer OpenID rather than the current situation where every site has completely independent accounts and email verification and captcha's and all. But I would much rather see more widespread use of Liberty and SAML 2.0 protocols and I have a slight fear that people will just settle for just plain OpenID instead because it solves a small part of the bigger problem.

On the other hand it should be noted that OpenID and those other protocols are not exclusive and propably it is not very difficult to add support for one of them to a site once the other has been implemented.

OpenID 2.0 closing in on acceptance

Posted Nov 3, 2007 14:39 UTC (Sat) by TRS-80 (subscriber, #1804) [Link]

Liberty Alliance still suffers from the fact that the RP and IdP can collude. A truly private identity system requires the use of blind signatures or zero-knowledge proofs to prevent collusion, but I don't forsee such techniques getting into this round of identiry systems.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds