[H-GEN] openid opinions?

Russell Stuart russell-humbug at stuart.id.au
Sat Dec 18 20:10:35 EST 2010


On Sat, 2010-12-18 at 19:01 +1000, remoray wrote:
> any opinions on this openid thing?

I am no expert, but OpenID v2 combined with clients and providers that
support what is called "directed identify" seems to be about as good a
solution to "password hell" as I can imagine.  A downside is not many
providers support directed identify.  The upside is arguably the biggest
and most reliable provider always has - Google.

Since the name "directed identity" doesn't provide a clue as to what it
does I'll explain with a short biography of OpenID.

Long long ago, blogging was invented.  Not long after someone came up
with the idea of allowing people to post comments to blog posts.  The
timing is disputed, but roughly between 34ms and 67ms after the first
blogging package allowing comments was launched spammers started posting
spam comments to blogs.

The first solution to spam was to delete it of course, but since the
spammers could simultaneously comment on many blog posts going back
months it was like trying divert the Niagara Falls using a plastic
spade.  The next attempt was to force people to log in before posting
comments.  The bloggers rapidly settled on using an email address for
the login name because that meant they could communicate privately with
the poster, and of course a password had to be provided as well.

That created another problem.  Turns out bloggers highly opinionated
people, and they like to cast their opinions far and wide.  (Who'd of
thunk it?)  Thus, they post a lot of comments on a lot of different
blogs.  This meant they hand to manage lots and lots of different logins
and passwords.  If you followed the commonly espoused security tenants
of using different a password for each site, and changing them regularly
the result became a unmanageable frenzy of changing and forgotten
passwords.

The solution they invented (over a series of blog posts of course) was
OpenID v1.  The essential idea behind OpenID v1 was a blogging site you
wanted to comment on just asked your blogging site to authenticate you.
All you did is enter a URL that effectively identified you.  That URL
was normally just a special page your blogs URL.  Then the OpenID
protocol specified a standard, secure way for the site you were
commenting on to ask your blog to authenticate you, and when done pass
control back so you could post your comment.  If you hadn't logged into
your blogging site then it would have to ask you to identify yourself in
some way (eg username and password), but if you were already logged in
then there was no need to enter anything.   That was the normal case,
and so OpenID reduced authenticating yourself to a button click and
waiting for a few browser redirects.

OpenID v1 looks enticingly close to a general solution to the "password
hell" problem most of us experience on the internet.  It was much better
than the propriety solution that various companies had tried to
implement, such as Microsoft's passport.  But there were several
problems with it.  One was lack of anonymity.  Because you entered a URL
that identified you and was the same for each site, your movements
across the internet could be tracked.  This might not be a problem for
blogs, but it could be problem if you wanted to anonymously post
controversial opinions or purchase sex toys for grandma.

There is no real need for the URL to identify you.  A generic URL could
take you to a login page on your open ID provider, and there you could
provide a user name and password.  And indeed that is open OpenID v2
does.  For example, Google's OpenID URL is
https://www.google.com/accounts/o8/id and that is the same for everyone.
This generic URL feature is what OpenID v2 spec calls this "directed
identity".

Sadly from the implementers point of view, the OpenID spec is chock-full
of terms like that, mostly defining abstractions that are simply
unnecessary.  In that way betrays its origins as a product of a
committee of bloggers, each producing something that was unique and
fighting to include their contributions in the final spec.  Thus it
contains a lot of oddly named unique somethings.  Nonetheless, despite
the tortuous language, the spec is solid.  But it desperately needs to
be re-formulated as an RFC.

> Anyone use it?
> 
> Does it make things easier?

Most people use it now, often unwittingly.  If you have ever used one of
those a "login via" thingies you open see at the bottom of a web page,
you are a satisfied OpenID user.

On Sat, 2010-12-18 at 19:55 +1000, Greg Black wrote:
> As is true of so much information on the Net, that article was written
> by a fool.

Harsh.  A more charitable explanation this is a person commenting on a
subject he knows nothing about.  Admittedly that is very common on the
Net.

He says people should have no trouble avoiding password hell.  I imagine
he means by that he has so far not experienced it.  The only possible
explanation for that is he doesn't use the internet a lot.  So here we
have a person who doesn't use the internet a lot telling people who do
use it a lot the solutions they have invented are crap.

Currently there is no way to avoid password hell without using OpenID.
In fact because OpenID isn't used by most commerce sites there is no way
to avoid it even if you do use it.  But that isn't OpenID's fault.
Hopefully now that shopping cart applications like OsCommerce have
adopted it we will see a gradual uptake, and password hell will become a
just another painful memory.

For what it is worth, OpenID does have another deficiency.  There is
data have to maintain data on every many sites.  Things like your name,
email addresses, phone numbers and shipping addresses.  These things
change over time.  It would be really, really nice if you could define
these in a central place, and have the sites you log into pull the bits
you authorise from that central repository as needed.  That way they
would always have the most recent version.  As it stands, maintaining
these things in 100's (in my case) of places feels very like password
hell.

The obvious place to maintain this all at is with your OpenID provider.
OpenID v1's provisions in that area were very rudimentary.  You might
recall I said most blogs used to authenticate you using an email
address.  As a consequence OpenID v1 allowed an email address to be sent
back, but very little else.  OpenID v2 now provides an extension
mechanism and the rudimentary facilities of OpenID v1 have been
grandfathered into that, and a few others have been added.  But it is
still all very basic, mostly because very few extensions have been
defined.  OAuth is another standard that is complementary to OpenID that
does attempt to provide some of these features.  However it is broken,
literally.  A security flaw was found in the current version of the
OAuth v1 protocol and the next version, OAuth v2, isn't backward
compatible with OAuth v1.

I think this is illustrative of another trend.  It appears that now the
initial rush of innovation on the Internet is over, we are doomed to
improve it in a series of baby steps that means it takes decades for any
new technology to be so widely adopted you can assume it is the default.
This much like every other existing technology, of course.  Sadly unlike
the motor car or electricity distribution we are at the start of this
road.  Securely sharing your email address or home address is pretty
basic stuff, and as everybody with 1/2 a brain knows Facebook isn't the
solution.  Facebook is a company fighting to hold (and thus control)
your data in their propriety repository.  The currently Facebook /
Google spat about sharing contacts between two accounts _you_ supposedly
control is a good example of the downsides of that.  Another good
example is our rejection of Microsoft passport, which the industry
ignored largely because they didn't trust Microsoft to be the custodian
of all their data.  Currently, it appears some people believe Facebook
is more trustworthy than Microsoft.

As always, the Wikipedia is a good reference point:

  http://en.wikipedia.org/wiki/Openid
  http://en.wikipedia.org/wiki/OAuth





More information about the General mailing list