That's torn it!
Microsoft about to do another Embrace, Extend, Extinguish on OpenID in order to puff up their Passport thingy?
Oh well, better get writing the obituary now.
Call it co-incidence or call it necessity, but Microsoft has jumped on-board a Yahoo!-backed initiative to give internet users a single digital identity. Microsoft is joining systems and internet rivals IBM and Google by becoming a full corporate board member of the OpenID Foundation. Also signing up are VeriSign and Yahoo!, …
Do any of these companies ever talk to their customers? Who thinks it is a good idea to have one ID on the internet, so they can trace you everywhere and profile you completely.
I'm convinced the companies in OpenID think it is! The more they can profile you, the better they can target their ads at you.
OpenID is a bad, bad, bad idea, and I can tell all the sites that are thinking of adopting this: you can lose a potentially large amount of customers over this. We do NOT want it, basta.
Why have just the one then?
As far as I can see, you can associate an OpenID with any URL you control where there's appropriate software on the domain. OpenID allows a persistent trustable identity which doesn't give anything away you don't want.
This issue is going to arise with sites that set policies like "you can only log on with an openID that releases an email address" (or real name, current payment card number, UK NIN, baptismal certificate number....).
But one openID for porn and another for commenting on tech web sites seems perfectly feasible.
"OpenID allows a persistent trustable identity which doesn't give anything away you don't want."
Trustable from which viewpoint?
From the users POV, it may be trustable in that it does not give out anything you don't want it to, but from a sites POV, it should be treated as inherently untrusted for login purposes.
Using a regular login scheme, the site has full control over the code used, and can audit for security any time they please. Using openID, they must place blind faith in the identifying end not to be subject to various forms of attack that would allow the users account to be hijacked.
It's all very well having shared secrets and diffie hellman secured transactions between sites, but a single flaw in the security of the identifier site breaks the security on all sites using openID for logins.
Not too bad if you want to just allow someone to post a comment on a blog, an absolute nightmare if ms,yahoo and google are all plugging it into their webmail systems and allowing full access from an openID.
I think it's the user's trust, mostly:
- That OpenID is not vulnerable
- That their chosen OpenID site is securely managed
- That they themselves will catch any attempts by malicious or hacked relying party to send them to a phishing equivalent of their openID provider
I don't think it's unreasonable to assume that Verisign or RSA will know how to implement a secure site better than most content providers (and not do anything boneheaded like not implementing TLS) and in fact it might be so much better that, together with the benefit of not maintaining a sheaf of IDs it "outweighs the eggs in one basket" risk. Especially as you do get to choose how many baskets you actually want to juggle.
From the site's PoV, you're right. I think that sites might well decide that they'll only accept openIDs provided by somewhere they trust, but it's not something you see discussed very much. The question of liability for a bad ID means that the banks won't be picking this up any time soon.
(love the screen name, incidentally ....)
Yet Another Stupid Idea, aggressively pursued by great big corps that can't ever know enough about us.
One login for all my sites? why exactly would I ever want something as retarded as that? Even in the remote case I was so lazy/damaged that I really thought one pass to rule them all was a cool idea why exactly would I ever trust my details and that single point of failure password with a comically mismatched bunch of bloated corporate muppets?
Same rant for all of you IT people working on Biometric ID's, you know who you are and you know what complete ass suck it's going to be when victimised punters start turning up at their banks asking for new fingerprints, irises or DNA because some cad seems to have cloned theirs and made happy with their hard earned.
Do a bit of reading about OpenID, people..
This is not Passport or Yahoo or a similar centralised service. If you want to be your own OpenID provider (and you have some webspace with CGI support), you can be. The whole point of OpenID is that it's distributed. Anybody can be a provider. It provides authentication and only authentication - if X was X yesterday, X is almost certainly X today; where X could be little Jimmy, a convicted criminal, or a dog sitting behind a keyboard.
Personally, I have one common insecure password for almost every website, and a handful of others for websites and services that I consider strategic. It's far more likely that one of these small poorly written websites leaks my password than a security conscious OpenID provider will.
As mentioned before, it also needn't be one OpenID - if you want multiple OpenID's, you can also have that. There's also support for logging into one site with multiple OpenIDs at the same time.
And a great feature will be web browsers with special support for OpenID, so I needn't even visit the website of my OpenID provider to authenticate or allow a website access to some of my OpenID info.
Both OpenId and CardSpace allow for multiple identities.
Passport != Cardspace
Information Cards are supported on Linux, Mac (DigitalMe), Windows (Cardspace).
Information Cars are widely regarded as more secure than OpenId. (OpenId is demonstrably prone to phishing attacks)
Microsoft has gone to a lot of effort to ensure that its identity provider is part of a broader meta-system, with integration to multiple systems including OpenId.
Get your heads out of your arses. Maybe that way your job wont get outsourced to India.