| |||||||||||
|
| |||||||||||
The problem(s) with OpenID
Here's a
lengthy posting on The Identity Corner which collects a long series of
criticisms of OpenID. They include phishing, cross-site scripting,
privacy, and, naturally, patents. "Even if one were to take the
position that the abovementioned patents are pre-dated by tons of prior art
and/or are 'obvious to those of ordinary skill in the art,' that may hardly
be reassuring for sites that establish themselves as OpenID providers or
consumers - they risk being presented at any time in the future with
litigation threat for patent infringement." It's worth noting that
the author represents a company selling an identity management solution of
its own.
(Log in to post comments)
The problem(s) with OpenID Posted May 27, 2008 9:03 UTC (Tue) by rfunk (subscriber, #4054) [Link] I'm a little puzzled about why this biased article appears here without context (except that it's biased). It's not particularly on-topic.Anyway, I found that this video addresses most of criticisms of OpenID, with the possible exception of the patent issue.
The problem(s) with OpenID Posted May 27, 2008 9:24 UTC (Tue) by rfunk (subscriber, #4054) [Link] BTW, I'm particularly puzzled about this showing up here because the article is dated Aug 22, 2007. Not exactly news. Here's one response to it.For a bit more context, here's a recent Coding Horror post about OpenID.
The problem(s) with OpenID Posted May 27, 2008 10:19 UTC (Tue) by aigarius (subscriber, #7329) [Link] Software patents don't exist. (Except in US and Japan.)
The problem(s) with OpenID Posted May 27, 2008 14:24 UTC (Tue) by drag (subscriber, #31333) [Link] I wouldn't say that. U.S. does have patent treaties with other countries. And I expect a small number of other countries have the ability to patent aspects of software. To what extent these sort of things transfer, I don't know. But certainly most other countries are affected by it one way or another.
Software patents Posted May 28, 2008 2:33 UTC (Wed) by michaeljt (subscriber, #39183) [Link] Anyone know what happened with this? http://lwn.net/Articles/277161/ (An opportunity to End Software Patents: ESP briefs Court in Bilski case rehearing)
The problem(s) with OpenID Posted May 27, 2008 14:59 UTC (Tue) by tzafrir (subscriber, #11501) [Link] Practical test: where can you encode MP3s on Linux out of the box?
authenticating with XMPP ID (jabber address) Posted May 27, 2008 15:10 UTC (Tue) by tzafrir (subscriber, #11501) [Link] We always mention that OpenID is somewhat equivalent of email authentication. What if we replace email authentication with XMPP (Jabber) authentication? Server sends me a random cookie, and I need to reply with it. It simple enough to use, proibably not very difficult to implement. So I guess someone has already played with it.
authenticating with XMPP ID (jabber address) Posted May 27, 2008 17:35 UTC (Tue) by martinfick (subscriber, #4455) [Link] Actually, email authentication is usually only used as a "reset" feature when a password is forgotten. So if openid or your jabber solution were used as the "reset" feature, then fine. But openid is not meant for that, it is meant as an SSO solution, and it sounds like you are suggesting jabber as an SSO solution also. As an SSO solution, high availability (HA) becomes paramount since it now is a single point of failure to accessing many websites! Openid does nothing to help with HA, even simple email allows me to have backup MX records! And openid delegation is not an HA mechanism since it just moves the single point of failure to the delegating website. Would your jabber solution have any HA mechanisms? As is, openid is just a trap. I am shocked that HA is being ignored by the openid community. Building HA into the protocol seems essential for any SSO solution which anyone plans on using with a large number of sites. Their HA answer tends to be "get a provider with HA", that makes it hard to use as an independent individual. This problem space would certainly merit independence as the number one requirement. Who wants to delegate access to all their websites to someone else, allowing them easy access? I guess some people do, but I sure don't!
authenticating with XMPP ID (jabber address) Posted May 28, 2008 0:52 UTC (Wed) by ajf (subscriber, #10844) [Link] I am shocked that HA is being ignored by the openid community.They're not. With OpenID 2.0 you can specify your identity provider using XRDS, which uses a mechanism more or less exactly like MX records to specify multiple servers. (On the other hand, XRDS is also tangled up in that XRI and i-name nonsense.)
authenticating with XMPP ID (jabber address) Posted May 28, 2008 12:15 UTC (Wed) by martinfick (subscriber, #4455) [Link] They're not. Actually, they are, I brought HA up on the list last year, and few people thought that it was important. With OpenID 2.0 you can specify your identity provider using XRDS, which uses a mechanism more or less exactly like MX records to specify multiple servers. As mentioned in my previous post, this simply moves the single point of failure to a web server somewhere (if you think it doesn't please explain). This is hardly a reliable replacement for MX records which live in DNS servers which can easily be replicated many places.
authenticating with XMPP ID (jabber address) Posted May 28, 2008 1:16 UTC (Wed) by tzafrir (subscriber, #11501) [Link] XMPP uses an SRV record, and thus has an MX-like priority at the DNS level. http://en.wikipedia.org/wiki/SRV_record $ host -t srv _xmpp-server._TCP.gmail.com _xmpp-server._TCP.gmail.com SRV 20 0 5269 xmpp-server4.l.google.com _xmpp-server._TCP.gmail.com SRV 5 0 5269 xmpp-server.l.google.com _xmpp-server._TCP.gmail.com SRV 20 0 5269 xmpp-server1.l.google.com _xmpp-server._TCP.gmail.com SRV 20 0 5269 xmpp-server2.l.google.com _xmpp-server._TCP.gmail.com SRV 20 0 5269 xmpp-server3.l.google.com What's the next obvious problem I have missed?
authenticating with XMPP ID (jabber address) Posted May 28, 2008 12:09 UTC (Wed) by martinfick (subscriber, #4455) [Link] Please forgive my ignorance on this one, I understand DNS SRV records, but how does jabber interact with this since (unlike email) it requires a session? If at connection time my jabber client connects to xmpp-server4.l.google.com and later this server goes down, will my connection be maintained by xmpp-server.l.google.com? Probably not right? So I guess a manual fail over is required at this point (I simply need to relogin to the next available server), which should actually be fine since an automated solution does not seem required for this. I admit that perhaps I have not been clear enough about what I consider a valid HA solution for an individual, but the above will probably not be sufficient, let me explain why. Remember, as an individual, HA for an SSO solution is probably more important than for any other protocol! If my email goes down for an hour, big deal, if my SSO goes down for an hour this will affect me much more! But yet, my email solution (which is less important to make HA than SSO) has a simple backup method that I can easily delegate to someone else, does jabber? So a valid SSO HA solution for an individual would require that it be easy to failover to an offsite solution that someone else can handle for me. MX records allow me to do this for email, I can simply point my MX records to my friend's (or my ISP's) mail server and they can accept mail for me when my server goes down. Throwing expensive hardware at the solution at my site will still not be as reliable as simply having a friend provide backup MX service for me. Can a friend easily provide a backup XMPP service for you? How would the naming scheme work? If my jabber account is JohnDoe@mydomain.com, how can my friend (or ISP) use his jabber server which hosts Friend@backup.com to backup my JohnDoe@mydomain.com account? If you solve this, than I think that you may have a solution that is a valid replacement for both the current schemes of username/passwords backed up by an email "reset" feature.
authenticating with XMPP ID (jabber address) Posted May 29, 2008 0:29 UTC (Thu) by job (guest, #670) [Link] This is of course client specific behaviour and has nothing to do with Jabber the protocol, but most Jabber clients handle this by automatically reconnecting when the socket breaks. So in practice your connection would break for a few seconds and then be back online with the next server. So Jabber failover works (almost) as good as email (because jabber messages are not transactions in the same way email are, but close enough). But there are many ways a server can fail and a server that is otherwise dead but accepts logins properly would trap most (all?) existing Jabber clients. HA is hard in practice.
authenticating with XMPP ID (jabber address) Posted May 29, 2008 12:22 UTC (Thu) by martinfick (subscriber, #4455) [Link] Yes, so jabber client failover will probably work, and as I mentioned, in most cases this would be fine even if the failover had to be manual (i.e. log out and then back in). I agree that HA is hard and there could be other weird server behavior as you mention, but I believe that for email this kind of weird flaky behavior is still likely to at least cause the alternate MX record to be used. There is no reason that a jabber based authentication protocol could not be smart enough and even required by the specification to do this. That still leaves the delegation issue. How do I delegate this to a friend or an ISP (only in case of failure) so that if my house burns down their server can answer requests to my jabber id? What naming scheme would allow this?
authenticating with XMPP ID (jabber address) Posted May 28, 2008 5:13 UTC (Wed) by jamesh (subscriber, #1159) [Link] Given that people have been deploying HA solutions for the technologies OpenID is based on for a long time, why do you say that OpenID doesn't help with HA?
So it looks like you can introduce HA to pretty much any part of the protocol. Depending on your requirements, you may not require redundancy at all levels (e.g. a single HA OpenID provider might be enough). As for the independence issue, things seem similar to email. Maintaining your independence while setting up an HA mail system will involve setting up redundant servers. You can delegate some of this to other organisations as backup MX, but this involves giving them control over some portion of your incoming email stream. I guess the answer here is to not delegate authority/control to people you don't trust.
authenticating with XMPP ID (jabber address) Posted May 28, 2008 13:35 UTC (Wed) by martinfick (subscriber, #4455) [Link] Given that people have been deploying HA solutions for the technologies OpenID is based on for a long time, why do you say that OpenID doesn't help with HA? Actually, most of the solutions that you mention are either performance/scaling solutions or expensive workaround HA solutions because the protocols that you mention do not have HA built into them to start with! So openid DOES NOT help with HA, it simply assumes that the technologies that you mention will be enough to provide it. I am claiming that they will not! These solutions will not provide a solution for an individual who wants to setup his own openid server and wants to simply delegate failover to a friend or an ISP. To be more specific: * The discovery phase of OpenID is basically just a few plain HTTP requests. It should be no more difficult to add redundancy here than for any other web site (round robin DNS, load balancers, etc). These are mostly performance, not HA solutions. None of these allow for simple delegation (if so, please explain how). * The preferred discovery mechanism for OpenID 2.0 is to serve and XRDS document, which includes a priority list of service endpoints. The RP will pick the highest priority service with a supported protocol. This provides a way to specify that multiple OpenID providers can make assertions about a single URL, and provides an entry point for doing round-robin provider selection. Again, this does not allow for the XRDS document to be simply delegated to someone else (if so, please explain how). If this were backed by a simple naming scheme that allowed me to delegate this to someone else it would be fine. But, as is, without this feature you have just moved the single point of failure to the XRDS document and whatever expensive hardware you can throw at this document to keep it up. When the dust settles, by using XRDS you have just introduced another link that can break instead of adding another chain in parallel, this actually makes things worse from an HA perspective! I believe that your remaining three bullets are actually unnecessary. Users can (at least I can) live with a momentary interruption of service while failover occurs, but obviously this cannot persist. So it looks like you can introduce HA to pretty much any part of the protocol. You make it sound like I only have to introduce it to one part when I really have to introduce it to every part for it to actually be HA. And as shown above, many of those parts will not be easy to introduce it to without help from the protocol. As for the independence issue, things seem similar to email. Maintaining your independence while setting up an HA mail system will involve setting up redundant servers. You can delegate some of this to other organizations as backup MX... But how can I delegate this to others with openid? The protocol does not provide a mechanism to do this? Can a friend easily provide a backup openid service for you? How would the naming scheme work? If my identity URL is http://mydomain.com/myopenidsoftware/John.Doe, how can my friend's openid server which gives him an identity URL of http://backup.com/backupopenidsoftware/Friend use his server to backup my id? That is the problem, there is no easy standard way of doing this? If there were a standard way to create openid identity URLs, this might be possible. I have suggested a very naive solution to the openid mailing list, but few seemed to even think it was required, and none bothered to even rip apart my naive solution. :) They probably agree with you that HA can be thrown below the openid technologies, but this is really not feasible for the individual and I would think that it would not be feasible for most small businesses either. It's just an expensive kludge. My naive solution is here: http://www.theficks.name/Hacks/OpenID, it is lame, but perhaps it could inspire someone to suggest a real solution, or to realize that openid needs one! I just realize now that perhaps a similar simple scheme could be used to make the XRDS document HA? I am not sure what would be better, but if XRDS doesn't really provide HA, why bother with its complexity anyway?
authenticating with XMPP ID (jabber address) Posted May 30, 2008 0:27 UTC (Fri) by jamesh (subscriber, #1159) [Link] > These are mostly performance, not HA solutions. None of these allow > for simple delegation (if so, please explain how). Many high availability solutions also improve performance. An HA solution does not necessarily mean having a backup server sitting round waiting for the primary server to die. In fact, most multi-active solutions are more likely to handle crashes correctly because they need to be aware of other nodes in the common case. > Again, this does not allow for the XRDS document to be simply delegated > to someone else (if so, please explain how). As I said, you can use the same techniques as used to make any web site highly available. > You make it sound like I only have to introduce it to one part when > I really have to introduce it to every part for it to actually be HA It wasn't my intention to make it look like you only needed to add HA to one part. Some of the techniques I mentioned can be omitted though (a single high availability OpenID provider might satisfy your needs, for instance). > But how can I delegate this to others with openid? The protocol does > not provide a mechanism to do this? Can a friend easily provide a > backup openid service for you? How would the naming scheme work? If > my identity URL is http://mydomain.com/myopenidsoftware/John.Doe, how > can my friend's openid server which gives him an identity URL of > http://backup.com/backupopenidsoftware/Friend use his server to > backup my id? That is the problem, there is no easy standard way of > doing this? Take a look at the discovery portions of the specification again. In particular, the difference between the "claimed identifier" and the "OP-local identifier". The identifier allocated to you by an OpenID provider is not necessarily the same as the claimed identifier given to the relying parties. Provided you have your discovery information in order, this should not be a problem. Now, this isn't to say that there are bugs in the existing OpenID implementations. Some deployments are buggy (e.g. SourceForge's implementation is incomplete, with no support for XRDS). Few libraries try secondary endpoints in the XRDS if the first fails (this is roughly equivalent to an MTA only trying the first MX record). Things will have to improve, but they are not inherent flaws in the specification. We are talking about a fairly new technology here.
authenticating with XMPP ID (jabber address) Posted May 30, 2008 10:25 UTC (Fri) by martinfick (subscriber, #4455) [Link] I think that you missed this part of my reply above: These solutions will not provide a solution for an individual who wants to setup his own openid server and wants to simply delegate failover to a friend or an ISP. Your answers do not address this primary issue. MX records for email do. Without this, openid is not poised for global adoption and will remain something that enslaves anyone who wants to use it to the whims of large corporate openid providers. It is not a reasonable solution for someone who wants to be independent, which is really a shame. For those of us who look for the ability to be independent from a software infrastructure perspective (which I suspect many free software users do), openid brings us this hope, but unfortunately it seems to fall short of delivering this. :( From your answers and others like you it is obvious that openid has done a good job marketing to and making life easy and profitable for the expensive high end providers, perhaps this was the single most important/valid criticism in this article. However, little thought seems to have been given to the concerns of smaller entities such as individual users who want to be their own providers. Maybe I am just old school, I still own a land line (scoff)! Back when email was designed connectivity and availability were not taken for granted as they are today. I guess it is just hard to escape from this narrow minded point of view when the web today seems like it just works. Sadly, this point of view shows clearly in the design of many newer technologies.
authenticating with XMPP ID (jabber address) Posted May 28, 2008 6:58 UTC (Wed) by rfunk (subscriber, #4054) [Link] If email authentication is used to reset my password, then access to my email is equivalent to access to my password. It doesn't matter whether it's intendended to be a rare occurrence or an everyday occurrence; the equivalence is the same either way. (This is why I hate systems that require me to give them an answer to some simple question "in case I forget my password," since that answer ends up being a weak password-equivalent.) Your spurious HA complaint has already been well-addressed by others.
Nope. Paswords reset != access to password Posted May 28, 2008 10:53 UTC (Wed) by khim (subscriber, #9252) [Link] If email authentication is used to reset my password, then access to my email is equivalent to access to my password. If you can only reset the password then you can not use email as password replacement. You can not return password back to original state thus any such access will be visible for original owner. It's enough for many things. This is why I hate systems that require me to give them an answer to some simple question "in case I forget my password," since that answer ends up being a weak password-equivalent. You can always fix the system by entering word from /dev/random there. On the other hand lack of such a system will be a disaster for "normal" people who are not accustomed to world of IT where it is possible to create virtually unbreakable lock. They expect that police can always open the door if needed...
authenticating with XMPP ID (jabber address) Posted May 28, 2008 10:57 UTC (Wed) by martinfick (subscriber, #4455) [Link] I was not referring to the security mechanism of using email for authentication, your comparison there is correct email is similar. But I was talking about the HA part for which email authentication is not equivalent! If you temporarily lose access to your email you are still able to login to your accounts without it, you simply have lost the ability to "reset" your accounts. With openid if you temporarily lose access to your openid server, you are SOL. This really is different.
authenticating with XMPP ID (jabber address) Posted May 28, 2008 12:32 UTC (Wed) by tzafrir (subscriber, #11501) [Link] Many people today have a single point of failure: the local passwords list file.
authenticating with XMPP ID (jabber address) Posted May 28, 2008 13:03 UTC (Wed) by martinfick (subscriber, #4455) [Link] These people still have at their disposal simple cheap HA solutions to this if they choose. 1) memory 2) cp passwdfile passwdfile.bak 3) + email passwdfile.bak file to offsite email account 4) + encrypt passwdfile.bak before emailing offsite 5) cp passwdfile to USBstick/passwdfile.bak ... the list goes on. While not everyone chooses to do these, at least they are reasonably available to them.
The problem(s) with OpenID Posted May 28, 2008 1:22 UTC (Wed) by jamesh (subscriber, #1159) [Link] A lot of the criticism in that article seems to be along the lines that "if implemented badly, OpenID is insecure", rather than "OpenID is inherently insecure". While DNS poisoning is a problem for an OpenID provider running over HTTP, the same is not true for https identities/providers. There is a caveat here though: you need to make sure you enter the "https://" bit in the OpenID field or you will still be open to poisoning attacks (identity URLs without a scheme default to HTTP, which I guess is a concession to people running their own identity provider). Similarly, the phishing potential for a provider is highly dependent on the authentication method they employ. While a plain username/password might be susceptible to provider proxying attacks, it isn't the only option. Some options include:
The trust vs. identity issue seems a bit out of place. OpenID tells the RP that a user controls a particular URL (to the extent they trust DNS, SSL, etc) – nothing more. But once you have that assertion, you can start applying trusted assertions against the URL to the user. So in this sense you can build trust on top of identity. The identity assertion doesn't come out of thin air though.
A bad case of NIH Posted May 29, 2008 0:54 UTC (Thu) by job (guest, #670) [Link] My understanding of OpenID is that it wants to do everything client side SSL keys does but a) sort of requires javascript and b) is easier to spoof. Pretty much every browser can use SSL keys today, and there is an working infrastructure of smart card standards which all works together if you want to move beyond simple password authentication. (OpenID implements this by using SSL, a complex way of achieving nothing.) I don't know what the rationale for OpenID was but it strikes me as a bad case of NIH in the web designer world. Was there not enough XML? Was the login prompt not pretty enough? That latter is probably somewhat true. Generating keys in your web browser could be more user friendly, but that would immediately improve a lot if there was an actual use case. SSL works today and has worked "today" even before OpenID was thought of. OpenID is still pretty much a work in progress and there is a multitude of standards revisions for you to choose from. In the good old days some websites actually accepted client certs as SSO (and some people even sold them if you wanted) and I think Apache can still use it, but people were just not interested. Perhaps the time has come for SSO on the web, but I just don't see what OpenID has to offer.
A bad case of NIH Posted May 29, 2008 10:46 UTC (Thu) by tialaramex (subscriber, #21167) [Link] Client side SSL keys is a specific authentication method. OpenID is not an authentication method but OpenID providers need one. So the two are orthogonal. All that OpenID specifies is a way for you to take a URI and find out whether the person who gave it to you has authority over that URI. It doesn't specify how that authority is determined. For some OpenID providers the answer is that everyone has authority (this is somewhat useless but proves a point). Some OpenIDs are shared by a few people, each of which has a different "password" to prove their authority but is indistinguishable to the OpenID relying party. LiveJournal's provider says that each LiveJournal user has authority over a URI associated with their blog. If you own a DNS domain you can use software to create an OpenID provider running on your own machine which does purely local authentication, or you could use your domain to just publish a web page with a link tag that delegates your OpenID to another provider (thus you can switch providers without losing your identity). Some newer providers give each person an SSL cert, and they can use that to assert authority over a range of arbitrary OpenIDs so that they can use more than one identity. They just type the provider's URI in when asked for an OpenID, so no need to remember whether they signed up for this service in their persona as "Arnold Harrington" the 40 year old respected accountant or "Gary Giblets" amateur comedian popular in working men's clubs, their OpenID provider remembers that for them, and if they sign up to a new service it offers to provide these existing identities or a new one of their creation.
|
|||||||||||