Home » Blogs » Jason Pramas's blog

Too Many Passwords? Try OpenID.

Jason Pramas's picture
Submitted by Jason Pramas on Sat, 08/30/2008 - 10:09pm

As time moves on, and we all sign up for more and more web services, inevitably we're going to forget the various usernames and passwords we're forced to use to keep our personal information at least moderately protected from the possibility of identity theft or worse.

Not all sites make it easy to retrieve lost account information either - as I just found out myself with one credit card site that asked me for a "security word" without giving a hint. So what's an internet user to do?

Fortunately, where there's a need, there's generally a move to fill it. And so too with this need for a single sign-on for multiples sites.

Back in 2005, the creator of the blog farm LiveJournal developed the first version of OpenID - as a distributed mechanism for providing users with a single digital identity backed by robust security. The system was based on Light-Weight Identity (LID) that LiveJournal created jointly with NetMesh Inc. and Cordance Corp.

Anyone with an OpenID account can sign on to any of thousands of websites that use the system - including a growing number of major service providers like AOL, LiveJournal, WordPress, Microsoft, Yahoo and MySpace.

There are older single sign on systems like Windows Live ID (formerly Microsoft Passport), but using such enterprise systems requires handing your privacy and security over to a system solely controlled by a single corporation, while OpenID is decentralized between many certified ID providers - some corporations, some non-profits. OpenID itself is overseen by the non-profit OpenID Foundation.

Understanding how the OpenID system works is straightforward as long as you don't try to look under the hood too much.

First you sign up with an identity provider, which could be an established security company like VeriSign (as used by your pals here at Prometheus Labor Communications) or your own server if you choose to participate in the program. After providing your basic information, you are given a special URL (for example, YourName.VeriSign.Com). You can then sign into any OpenID site by providing that URL, then signing in via your identity provider - not the site you're signing into. Your identity provider exchanges verifies you to the site you're signing into. And that's it. You're in.

It has been said that OpenID together with microformats (discussed earlier this week in the distributed social networking post) will kill Facebook and other corporate social networking sites. That remains to be seen. But it looks like a great idea for labor to field its own OpenID identity provider sites - and provide OpenIDs for labor users, who may not otherwise trust the system at first.

As more labor folks start to use OpenID, there will be a great incentive for various unions and affiliated organizations to allow people to sign in using the system. Which would be a win-win for labor sites and labor users alike.

For more information, check out the following sites

http://openid.net/
http://en.wikipedia.org/wiki/OpenID
http://www.slideshare.net/maxmanders/an-introduction-to-openid
http://yadis.org/wiki/Main_Pagehttp://simonwillison.net/2007/Feb/25/six/ " rel="nofollow">
http://simonwillison.net/2007/Feb/25/six/ " rel="nofollow">http://simonwillison.net/2007/Feb/25/six/

»
ARBE's picture

Open ID and similar- re verisign

Submitted by ARBE on Wed, 09/03/2008 - 5:25pm.

Unfortunately - the Verisign and other PKI cedrtificates can also be abused by any site that uses them to verify who you are and what computer you are using.

despite what the gurus say, it is trivial to trick someone into accepting a PKI certificate installed on their machine. even if it is an unauthorized certificate !

Purpose is to block all email or other communications from that computer. great- bujt subtle form of censorship.

I've had it happen to me - the company involved is THE BOEING COMPANY - who stil claim they do not put such PKI certificates on personal - home - computers. Since I have long been a retired employee - and haave no access to a company computer - then how did I find two of them on my computer ? Their presence blocked my legitimate access to certain financial data - and the local gendarmes agree it is criminal. However, since Boeing disclaims they do it - the gendarmes have other more important things to do. As a result, and after doing a lot of research, and getting stonewalled by Verisign- I became aware of just how easy it is to subvert the system.

point of the above is be VERY careful how one uses such a system - and the great potential for abuse.

Many unions will go to great lengths to hide financial data, stifle requests for documents available to any member, etc. It s a case of a few bad apples spoiling the whole mess.

I can easily provide a link to a pdf copy of the non existant Boeing PKI certificate found on my home computer- when I removed it, I was then able to access my fianancial data, and create new email addresses and use a different computer to contact union members at their Boeing addreses

»
Jason Pramas's picture

one of a number of problems

Submitted by Jason Pramas on Thu, 09/04/2008 - 12:00pm.

sure, there are a number of security issues and ways to game the OpenID system ... one of the largest being the issue of who gets to register OpenID servers ... there have already been instances of shady trojan servers stealing unwitting users' registration info ...

however, these issues are being addressed as they arise by the OpenID community - which is the advantage of an open source project like OpenID ... many interests coming together to work towards a common goal ...

nevertheless, I'll try to be careful of waxing too effusively (without pointing out downsides) about new web services in the future ...

I'd encourage you to write a full post to this blog about the security issue you raise; so we can put it on the front page ...

cheers ...

»
ARBE's picture

RE SECURITY ISSUE

Submitted by ARBE on Fri, 09/05/2008 - 2:52pm.

I'll be glad to expand, but it will be a week or two before I can figure out how to make terse post .

Currently I am awaiting formal responses on related subjects from Boeing, and certain elements probably should not be divulged at this time due to pending involvement by a few government agencies which are part of the DOL.

Adding to the issue is that what boeing did also happens to be under washington state law either a misdemeanor or felony. The County attorneys office refuses to get involved, and foisted it on the local city Police dept .

If that isn't enough , there is also involvemnt in the current ( sept 5 - Boeing- IAM strike issue )

Don

»