LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

FUDCon report from the Fedora Project Leader (Red Hat Magazine)

[Posted June 23, 2008 by corbet]

Red Hat Magazine is carrying a report from FUDcon written by project leader Paul Frields. "Last night, Infrastructure team leader Mike McGrath announced a one-two punch of free software goodness for Fedora. First, our Fedora Account System is now an OpenID provider. This means that the identity you create in the Fedora Project can be used across thousands of web sites. The other big announcement was the new Fedora telephony system, 'Fedora Talk,' based on the juggernaut free software VoIP project Asterisk."
(Log in to post comments)

OpenID provider vs relying party

Posted Jun 24, 2008 17:18 UTC (Tue) by tialaramex (subscriber, #21167) [Link] 

“This means that the identity you create in the Fedora Project can be used across thousands of
web sites.”

... but the identity you already have cannot be used at the Fedora Project.

Setting up an OpenID _provider_ like this is very nearly useless. Fedora ought to be looking
at becoming an OpenID relying party, not a provider.

Let me provide an analogy. Being an OpenID provider is like setting up a credit card company.
Maybe you want to do that, if you're a big financial organisation and you have all the
know-how to do a good job of it, and you feel that you can offer something better (low
interest rate, convenient payment, etc.) than competitors. But if you don't have the expertise
then you're producing Monopoly money, everyone will stick with their VISA.

But if you want to reduce how many different credit cards people carry, you don't want to set
up a credit card company, you want to start accepting the most common existing credit cards.
Offering your own brand of card is actually counter-productive, that's just another card
everyone has to carry.

Adding relying party support to Fedora's site and services would be much harder, but it
wouldn't be an empty gesture like this, it would be a real achievement. There would be solid
benefits for Fedora and its users. Worried about "break-ins" ? No-one can steal your user's
passwords, because you don't have them, you don't even have a password hash, you just know
their OpenID which is public. Concerned about integration? The use of URIs in OpenID makes it
child's play to join two arbitrary account systems together, and if they need to be separated
again later you can safely do that too. No more "all passwords will need to be changed, sorry"
emails or "please note that now the password from site A is used on site B".

OpenID provider vs relying party

Posted Jun 24, 2008 17:28 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link] 

Being a relaying party is the next step. Patience, it is happening. There are places where it
can be done and that needs to move carefully.

OpenID provider vs relying party

Posted Jun 24, 2008 18:51 UTC (Tue) by mmcgrath (guest, #44906) [Link] 

> Setting up an OpenID _provider_ like this is very nearly useless. Fedora
> ought to be looking at becoming an OpenID relying party, not a provider.

I wouldn't say useless.  People like being able to, for example, make comments on livejournal
without needing an account.  Lots of bloggers (including myself) use livejournal.

As far as being a consumer, we're in an odd position there.  We have an OpenID plugin for our
wiki that we could enable right now, the problem is in our Contributor License Agreement.
Without having signed it, we can't accept someone's content... basically making an account with
us useless without the CLA.  I'm still looking into a couple of options but without something
like an agreement between our CLA and some other organization's CLA, Fedora's future as an
OpenID consumer is, unfortunately, limited.  We knew this was a possibility but made the
changes anyway and are hoping the Legal system can catch up :)

OpenID provider vs relying party

Posted Aug 2, 2008 15:47 UTC (Sat) by tialaramex (subscriber, #21167) [Link] 

[This reply is a bit late coming, sorry]

OpenID doesn't forbid you from attaching some site-specific conditions to usage. I see that
the CLA process requires contributors to give you a telephone contact number and a home or
work address. You could easily also ask them to provide an OpenID at this point.

If someone signs into the site using an OpenID that doesn't have a CLA on file, you can send
them to information about joining Fedora. For existing members you can add an account page
which lets them add or remove an OpenID on their account, in the same way that they can
currently change their contact details or password.

If the CLA is taken very seriously (do you follow-up and check that every telephone number is
valid and contacts the person who filled out the form? that every address given is a
residential or office address and that the person lives or works there?) then you might want
to Whitelist OpenID providers based on their authentication policies, but in any case there is
no legal blocker to being a relying party. I hope you can make it happen.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds