LiveJournal Founder Launches OpenID System 172
geekdreams writes "Brad Fitzpatrick, the founder of LiveJournal, has launched OpenID, an 'actually distributed identity system' for websites that accept user comments. The system utilizes decentralized servers to authenticate users, and aims to replace centralized ID systems such as Microsoft's Passport and SixApart's TypeKey. The first implementation of OpenID can be seen on LiveJournal comments pages." Previously mentioned on Slashdot, now out of development.
A dupe with a note saying it's a dupe (Score:2, Insightful)
But a dupe with news isn't always a dupe (Score:2)
Re:A dupe with a note saying it's a dupe (Score:1)
We just need to kill passwords (Score:2, Interesting)
Re:We just need to kill passwords (Score:2)
I'm kind of surprised that nobody has come up with a good, free alternative to RSA's SecurID system. For those that haven't seen it, it uses little hardware tokens (in the form of keyring fobs or credit card-sized units) that are synchronized with an authentication server. It seems to me like somebody could come up with a similar system that perhaps used a small Java app running on cell phones and PDAs to replace the key fob.
Re:We just need to kill passwords (Score:2)
Actually that sounds like a pretty good candidate for an open source project. Once you've created the RSA ACE/Server clone you could have someone mass fabricate cheap tokens with replaceable watch batteries. Maybe have them plug in via a USB interface to upload a new encryption seed should it get compromised.
Re:We just need to kill passwords (Score:2)
2)Easily spoofed
3)Makes identity theft far easier- we now just need to steal 1 number.
Re:We just need to kill passwords (Score:3, Informative)
2. No -- done right, a hardware token would have a private key that never leaves the token. It would authenticate itself by signing challenge data on command.
3. The private key would never leave the device. It would erase its memory if tampering i
solution - iButton (Score:2)
Can hardly wait... (Score:3, Insightful)
Also isnt there an issue if somone discovers your password, they can "pretend" to be you on any site including sites with sensitive information such as paypal and the like...
Re:Can hardly wait... (Score:5, Insightful)
Anyone can run an identity server.. so for instance each ISP could have one, or you could choose to use Google's, or Yahoo's, or Livejournal's.. or even mine, if I choose to run one for my website. In an ideal world, AOL could run one and integrate it with their AIM logins. Microsoft could run one and then Passports would work too.
Having a decentralized system allows you to avoid problems like this - it's kind of like jabber in my mind. I don't know *too* much about OpenID yet but this is the general idea.
Re:Can hardly wait... (Score:2)
Re:Can hardly wait... (Score:2)
Re:Can hardly wait... (Score:2)
Re:Can hardly wait... (Score:2)
I think its time for me to really go a
Re:Can hardly wait... (Score:2)
Easy, I AM A GENIOUS, behold the next big thing!. It's finger that gives out publ
I managed to score "Ski Racer" on AOL... (Score:2)
Re:I managed to score "Ski Racer" on AOL... (Score:2)
Re:Can hardly wait... (Score:2)
A good Idea... (Score:1, Insightful)
Just my 2 cents...
Re:A good Idea... (Score:3, Informative)
And if you read the specs, I think you will see that OpenID is designed from the ground up with security in mind.
Re:A bad idea... (Score:3, Interesting)
Actually, as near as I can tell it doesn't "prove" anything. Anyone who learns or knows the URL can pretend to be me on this or any other site. Especially if you're dumb enough to use the subdomain format shown. (e.g. brad.livejournal.com)
Without a private portion (password) it fails at authentication of identity, and devolves to just being "easy"...
Re:A bad idea... (Score:3, Informative)
Not really. After you enter a URL in an OpenID login box, the OpenID producer will confirm that you've already logged in to the producer site. OpenID is essentially a single sign-on solution. You log in to the producer site once, then you can use your URL to log i
Re:A bad idea... (Score:2)
Which is the problem. It doesn't need to be your URL.
My current comments stand, with a couple of exceptions. First, it appears that you have to "authorize" a site. Second, you have to be logged in.
Given those two conditions, it appears I could easily impersonate someone on a site they frequent if they have a session running AND if I know (from their sig, perhaps) their URL/domain.
read the spec, dude (Score:3, Informative)
Re:read the spec, dude (Score:2)
Re:A bad idea... (Score:3, Funny)
Thank you for your thoughtful analysis.
Re:A good Idea... (Score:2)
Self Obsessed ID system? (Score:4, Funny)
Re:Self Obsessed ID system? (Score:3, Funny)
Read my blog about injustice at the Grammy's!
The point? (Score:2)
Sites that let you enter your name/URL/email/etc and show it without verifying you're you are lame.
On the other:
Somebody could run their own identity server that says they're http://spammer.example.com/000001/ [example.com] all the way to http://spammer.example.com/999999/ [example.com] and that's not a goal of this system to prevent.
If anyone can run their own identity server, then why use this rather than a (probably more user-friendly) Captcha [wikipedia.org] system?
Re:The point? (Score:2)
Re:The point? (Score:5, Informative)
So it's a convenience for users, not to prevent spammers. This does have spam implications: you can blacklist/whitelist ID servers and you don't have to give your email to every site you visit, but it's not really about preventing spam. It's about simplifying the mass of passwords and accounts you have.
DOA (Score:1)
What this is actually good for (Score:5, Insightful)
Registration is mostly good for keeping away trolls who can't even take the time to learn their native dialect of English well enough to write a coherent and grammatically correct post. Sometimes it's horrifying to read the structure of such posts because you realize how far our schools have fallen. I've gotten ones that if I didn't have a college-level grasp of English, I'd have no idea what was being said.
As long as security is the first priority, this is a good thing. What I wonder though, is how secure this could really be without centralization. The appeal of SixApart's service is that SixApart is guarding it aggressively from being cracked... so who runs this service? I'm not sure how well you could trust a P2P system like this since you have no definitive authority to say "this user is who he/she says they are."
Re:What this is actually good for (Score:2, Informative)
Re:What this is actually good for (Score:2)
"This is not a trust system. Trust requires identity first."
The only thing that this does is that it lets someone who has established an identity use that identity in other places without a relationship between the sites or between the user and the new site. This would let me convince groklaw that I'm http://slashdot.org/~iabervon [slashdot.org] as effectively as I convince slashdot itself without enabling groklaw to spoof me to other sites (like if I just sen
Re:What this is actually good for (Score:2)
The protocol has been gone over by a few cypher experts, who seem happy enough with it.
Whether you trust any particular site to be a reasonable validator of accounts is another matter. You might (for instance) allow IBM.com as an authenticator, but not AOL.com, if you thought that getting an aol.com account was too easy.
It's more meant to be so that I can identify myself in various places as being me - you can't trust anyon
PGP keys provide trusted ID, and far better (Score:2)
That previously invented wheel is PGP keys.
They were created for a different purpose, but they already contain a string that can be used as a legible identifier (which commonly contains a URL or email address), and they are trivially checked, and they are vastly more proven and secure as a means of trusted identification, and they already operate through a distributed syste
Blogs will be what might save the net! (Score:2)
And you want to know what ruins the net even more? Trolls. It does
All that jazz (Score:3, Funny)
Sometimes i wonder
Why we don't have it shut
Closed ID seems smarter
Burma shave
Seriously all this jazz about the OpenID systems left right and centre from so many sources , yet non of them work , perhaps a new vector is required
It looks vulnerable to spoofing (Score:2, Insightful)
Re:It looks vulnerable to spoofing (Score:2)
But yes, I agree that popularizing popping up a login to your server is a bad idea, as if people get used to this, that could be prone to phishing -- but not actual man-in-the-middle attacks to the actual OpenID protocol.
Anyway, the way I understand it, OpenID assumes that the user trusts both sites:
I have an OpenID
Re:It looks vulnerable to spoofing (Score:2)
--Quentin
Re:It looks vulnerable to spoofing (Score:2)
This is a good step (Score:2, Interesting)
So your first argument is that one of the components involved had a security problem? You'd better stop using the internet then, or maybe even your own CMS.
Easy Identification Across Web Sites (Score:2, Insightful)
public PGP key repository (Score:2)
Re:public PGP key repository (Score:2)
Well, that would be very backwards.
In fact, the whole OpenID idea is backwards. They basically reinvented finger.
People, get a clue, learn about PGP and use it.
All it takes is a simple plugin for firefox to sign any <textarea>.
The site can then match the keys against the existing public key server infrastructure.
NoCatAuth (Score:2)
Interesting (Score:2)
Self-Identification (Score:5, Insightful)
I was very pleased to see the LiveJournal system because it acknowledges what no system has done before: that identity belongs in the hands of the users.
This has two major aspects:
First, as argued over and over on the LiveJournal site, this is not an authentication system, it is an identification system. You are not being required to prove you are who you say you are, you are instead being given a mechanism to declare who you are.
It is, in purpose and intent, as secure - and no more secure - than filling out a web form. But the idea here is that you fill out the form just once, and then using a system of call-backs (to ensure your personal information isn't spoofed) you can use that information anywhere on the web.
Let me repeat that, in case you didn't get it: anywhere on the web.
The idea is, if you want, you can have the *same* identity on each of dozens of websites. Which means, say, if your email address changes, you change it once, and this information is now available (if you want it to be) to all of your accounts. Ditto your home page.
I will leave the many many applications - such as web-wide peprsonalized display, in-page messaging, multi-site social networking, and more - as an exercise to the reader.
Second, what it means is that the system is distributed. This means that there isn't some centralized grand poobah of identity (the way Passport tried to be, the way Sxip is trying to be). It means you can choose any system you want to host your identity or you can build your own.
Let me repeat that: you can build your own.
Don't like their security. Make yours tighter. Too much lag on LJ. Host it yourself. Want to send different emails to different types of site. Code it.
One of the mistakes made in previous system was in the use of a one-size fits all model, which meant that the level of security had to be at the highest possible - which is orders of magnitude more than someone needs merely to write blog posts and comments. Building a distributed system allows each person to decide how much - or how - security is appropriate.
Having made these two points, I would like to mention briefly where my system goes beyond LJ's. In their system, you are still typing your home URL at each site you visit. In mine, you don't ever have to type your home URL - it is stashed in the browser agent environment variable, where it can be picked up by any site that needs it. Oh I know, you probably shouldn't do that - but I've been testing this for months with no ill effects. YMMV, and if you have a better idea, I'm all ears.
Despite the naysayers here on Slash, this system - or something very like it - will become the norm on the internet very soon.
Why?
- Because it will be very simple to install for websites, especially after things like Drupal and Wordpress modules are built.
- Because it will be very simple for the user, because they just need to type one thing in (or extensions will be built for my type of system).
- Because it will work.
- because it will be no less safe, and probably more safe, than filling forms willy-nilly everywhere you go.
xdi.org and I-Names?? (Score:2)
Taking it a step further (Score:3, Interesting)
What if we took this idea a step further and added a form of authentication, namely, signing of messages?
Here's what I have in mind, please point out any flaws in my logic:
Off the top of my head, the only two potential issues I see are:
Problems with OpenId (Score:2, Interesting)
Problems with OpenIDI put off reading the OpenID [openid.net] spec [openid.net] because I though it was probably flawed. Now I just feel applying my head to my desk.
OpenID is led by with this philosophy:
The above is taken from a discussion [danga.com] of vulnerabilities. The problem with this lowest common denominator approach is that it's horribly broken. OpenID is
Hmmmm (Score:2)
Re:Not really that good, IMHO. (Score:5, Funny)
Re:Not really that good, IMHO. (Score:5, Informative)
Re:Not really that good, IMHO. (Score:2, Insightful)
Not really.. if you aren't remembering passwords, you're pretty much out of luck when you go to another terminal, or forget to backup your firefox directory and lose your data.
Maybe this type of system isn't for you, but I can definitely see some use for it.
Also, just because something is comp
Re:Not really that good, IMHO. (Score:2)
Not that bad, either (Score:5, Insightful)
I'd have thought the motivation was to limit the number of separate accounts you need. Having a billion accounts running around is a massive security nightmare. Either you're using the same password everywhere (and telling every web site owner your password) or you're wandering around with a notebook of thousands of passwords.
Firefox won't remember your password if the computer is a public terminal, or if you use multiple computers (e.g. at home and at work.)
No, this isn't the ultimate solution (which involves encryption, a portable very strong crypto key time-based challenge-response, and perhaps biometrics), but it could be a good half-measure.
Re:Not that bad, either (Score:1)
Re:Not that bad, either (Score:3, Insightful)
Re:Not that bad, either (Score:2)
Re:Not that bad, either (Score:2)
Actually, it appears that you can [livejournal.com]. If I'm not mistaken, logging in there gets you a normal login session at which point you can do anything a normal user can do. The only thing that seems to be disabled is for OpenID users to keep their own journals.
Perhaps they'll lock it down more in the future, though. I've also heard that GreatestJournal gives full access to their photo hosting service to anyone who logs in with OpenID.
Re:Not that bad, either (Score:3, Interesting)
Re:Not that bad, either (Score:2)
True, and it's not a half bad idea, but look at the previous attempts at a "shared password" system like Passport, "Adultcheck," and that thing that Sun/etc were pushing. They haven
Re:Not that bad, either (Score:2)
For another it's a distributed (kinda) system rather than a centralized one. The system is actually quite clever; it's basically a way for you to set up your own ID system. You can "shop around" for ID providers. All you really need to own is the URL. If your ID provider goe
Re:Not that bad, either (Score:5, Insightful)
This is a means of identification. You log in to a site. The site passes off a redirect url, of sorts, to the OpenID server (the part after the @), and asks THEM to verify who you are. The OpenID server does this, and either goes to the URL it was directed to, and now you're 'identified' to the original site, or says no
So, what if they spoofed the OpenID server, made it always say yes? Then now you have anyone @that_openid_server can ident as anyone else. This doesn't compromise me@some_other_server. I'll probably end up running my own OpenID server, and having my account on it. Or maybe get my friend to, and we'll all share. Small and localized, one password to remember, and works anywhere (home, work, laptop, desktop, friend's house..) and the authentication goes away when I close the browser window.
What, exactly, is wrong with this
Re:Not that bad, either (Score:2)
LiveJournal runs a free service to allow you to be me.livejournal.com (if it's not already taken), *OR* you could use ANY URL you want - presumably a bunch of providers will pop up, and you can use any one you trust... OR put it o
Re:Not that bad, either (Score:2)
I don't see any reason why you can't use it as part of authentication if you want. Just have a list of OpenID identities which are allowed access and let OpenID handle the identity checking step. If the user successfully logs in with an approved identity, you then let them have all of the associated priviledges.
In fact, from what I understand LiveJournal is already doing something like this: users can add OpenID identities to a list which then allows those entities to post comments with a greater level of
Re:Not really that good, IMHO. (Score:1, Funny)
It would be easier to identify someone (and harder to spoof someone) if their ID information carried across multiple sites.
Re:Not really that good, IMHO. (Score:4, Insightful)
3 Tools like Firefox's "remember password" make these kinds of shared identity systems obosolete, don't they? Who cares how many passwords you have to remember? You don't have to remember ANY of them anymore, really.
One of the things I hate about internet is precisely this. Face it, how do you feel when some links in slashdot to a "register for free!" kind of link? I also hate when I go to a blog or a online forum and I'm forced to register, wait for email, login, etc. Most of the time I give up - this thing would fix those problems.
Comment removed (Score:4, Interesting)
Re:Not really that good, IMHO. (Score:4, Interesting)
No one liked Passport so that's why it didn't get used. This is a different idea which has a slim, but possible, chance of success.. even on large sites.
Re: (Score:2)
Re:Not really that good, IMHO. (Score:3, Informative)
They wanted ot keep the protocol simple and easy. Another layer can be added on top of it, later on, for profile exchange.. but they specifically avoided doing it in this version.
The problem with profile exchange is, it's hard to maintain. Once you give them information, they can keep it. If you only give them a
Re:Not really that good, IMHO. (Score:2)
(Yeah, right.)
This system doesn't require a central trusted entity.
Re:Not really that good, IMHO. (Score:2)
Actually, it used to bother the hell out of me.. but now, it BugsMeNot [roachfiend.com]..
Re:Not really that good, IMHO. (Score:3, Insightful)
I'm not saying that we need more services like the one in the article, but it would be nice to have some sort of simple way to fix this.
Re:Not really that good, IMHO. (Score:3, Insightful)
Re:Not really that good, IMHO. (Score:2, Insightful)
5 Seconds? Where did you get that benchmark?
I'm a CMS designer,
Ah, that explains it.
If I'm on a computer I trust, I might allow it to save my password. If I run accross a forum that requires a login, I'm more than likely not going to take t
Re:Not really that good, IMHO. (Score:5, Informative)
Secondly, addressing your remember passwords comment, it's a complete waste of resources for the system for these users, who just may want to leave a comment, to force them to sign up for an account. Why not just let them provide a reference URL which represents them, and let that server verify that the provided URL is the user's?
Many of your points were simply "This is complex", or "This requires relying on more systems", and conclude that it's bad. Firstly, I think 'rely' is the wrong word for this. You're using these other systems, yes, but if these other systems go down, it doesn't stop you from doing anything. It's similar, though not a perfect analogy, to saying that having more IRC servers in a given network is bad because you're relying on more servers.
Also, imagine the advantages this gives when designing around this system. Forums which are really only for one topic, such as an official forum for a specific piece of software, don't even need to store any user or password information (and therefore don't have any sensitive data). The forum can simply store the OpenID URL for the admins and allow anyone who can verify with that URL do all of the admin work.
It's the first step to providing a true roaming profile, and single sign-on for the web, and it's done in an open manner. I think it's a step in the right direction.
Re:Not really that good, IMHO. (Score:5, Insightful)
Re:Not really that good, IMHO. (Score:2, Insightful)
Um, no, that's not true. The way it works is that you go to one site, enter your ID, it redirects you to a page on your identity server asking if you want to allow the other site to verify your identity, and then it redirects you back to the original site. Now, if you weren't already logged in on your identity server, you would have to log in first, so it would redirect you to a login page on your identity server
Re:Not really that good, IMHO. (Score:2)
So, what's the danger here? Idiots will log in to a site they don't need to be in, get their identity and openid password stolen, and then go running around logging in to all these sites and leaving comments as you.. where every single time they log
Re:Not really that good, IMHO. (Score:2)
Instead, I'd have the identity server return "not logged in", and make people log in to the identity server first, separately. This is for people like me, who log into slashdot first thing in the morning, then proceed to visit other sites during the day... I'm already logged in to slashdot, so it can v
Re:Not really that good, IMHO. (Score:2)
Re:Not really that good, IMHO. (Score:2)
11. Profit!!! (Score:2)
(Sorry, had to!)
Re:Not really that good, IMHO. (Score:2)
2. It takes a little longer than just five seconds to register for a new service. First you have to spend at least five seconds filling out a form and squinting to read the CAPTCHA. Then you have to wait a few minutes for the email to finally arrive and then confirm it. Of course, I'm only talking about the majority of services here. Clearly there are one or two (total) services in the world which actually take five seconds to sign up for.
Furthermore, that's not the only reason they did it. Suppose J
Re:Not really that good, IMHO. (Score:1)
Being modded down?
Re:Obligatory (Score:2)
*sigh* oh slashdot...
Re:Rivalry (Score:3, Informative)
and his comments about spam and trust lead one to believe that these are area's SixApart's service could fill.
Re:Rivalry (Score:1)
I'm guessing he might be, as he is a SixApart employee since they bought Danga (LiveJournal).
Re:Insecure by design (Score:1, Insightful)
There are many fun topologies out there like Decentralized Ring (ala Gnutella2; don't knock the design just because the inventor was controversial) which work around issues in simple systems such as Distributed or Centralized. Ultimately your application will
Re:Insecure by design (Score:3, Informative)
Such a system would be the foundation of a new set of services as well. For example, if all the citizens of the world would wear a GPS transmitting necklace or under-the-skin implant no one would ever be wrongly accused of a crime or be accidentally lost in the wilde
Re:Insecure by design (Score:2)
Re:useless (Score:2)
Re:useless (Score:2)
Christ on a cracker, I know this is Slashdot, but could you at the very least read the summary?