LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A bad case of NIH

A bad case of NIH

Posted May 29, 2008 6:54 UTC (Thu) by job (subscriber, #670)
Parent article: The problem(s) with OpenID 

My understanding of OpenID is that it wants to do everything client side SSL keys does but a)
sort of requires javascript and b) is easier to spoof.

Pretty much every browser can use SSL keys today, and there is an working infrastructure of
smart card standards which all works together if you want to move beyond simple password
authentication. (OpenID implements this by using SSL, a complex way of achieving nothing.)

I don't know what the rationale for OpenID was but it strikes me as a bad case of NIH in the
web designer world. Was there not enough XML? Was the login prompt not pretty enough?

That latter is probably somewhat true. Generating keys in your web browser could be more user
friendly, but that would immediately improve a lot if there was an actual use case. SSL works
today and has worked "today" even before OpenID was thought of. OpenID is still pretty much a
work in progress and there is a multitude of standards revisions for you to choose from.

In the good old days some websites actually accepted client certs as SSO (and some people even
sold them if you wanted) and I think Apache can still use it, but people were just not
interested. Perhaps the time has come for SSO on the web, but I just don't see what OpenID has
to offer.

(Log in to post comments)

A bad case of NIH

Posted May 29, 2008 16:46 UTC (Thu) by tialaramex (subscriber, #21167) [Link] 

Client side SSL keys is a specific authentication method.

OpenID is not an authentication method but OpenID providers need one.

So the two are orthogonal.

All that OpenID specifies is a way for you to take a URI and find out whether the person who
gave it to you has authority over that URI.

It doesn't specify how that authority is determined. For some OpenID providers the answer is
that everyone has authority (this is somewhat useless but proves a point). Some OpenIDs are
shared by a few people, each of which has a different "password" to prove their authority but
is indistinguishable to the OpenID relying party. LiveJournal's provider says that each
LiveJournal user has authority over a URI associated with their blog. If you own a DNS domain
you can use software to create an OpenID provider running on your own machine which does
purely local authentication, or you could use your domain to just publish a web page with a
link tag that delegates your OpenID to another provider (thus you can switch providers without
losing your identity). Some newer providers give each person an SSL cert, and they can use
that to assert authority over a range of arbitrary OpenIDs so that they can use more than one
identity. They just type the provider's URI in when asked for an OpenID, so no need to
remember whether they signed up for this service in their persona as "Arnold Harrington" the
40 year old respected accountant or "Gary Giblets" amateur comedian popular in working men's
clubs, their OpenID provider remembers that for them, and if they sign up to a new service it
offers to provide these existing identities or a new one of their creation.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds