digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

OpenID: What is it, and why everyone is talking about it

centernetworks.com — Lately OpenID has been hitting the front page of digg, del.icio.us, and many other large websites. People have been talking about OpenID quite a bit, in the last few weeks, and there are many out there, who don't even know what OpenID is or what it's about. So I'm here to tell you what it is, and why it's so big.

Bury
show profanity settings
expand all
  • expert01, on 10/12/2007, -21/+5I don't like the way openid works. The average internet user can remember an email address, they can remember a normal login for a website, but having to use a domain name? It's just too complicated. Look into CardSpace, there are some opensource implementations.
    • EbilPhish, on 10/12/2007, -1/+7I think as long as they remember their own email address they should be fine. "username.domain.com" isn't any harder than "username@domain.com", granted some providers use more complex ones but I think the average monkey would be able to remember it, or use the auto complete feature at least.

      CardSpace is unnecessary for this kind of thing, not decentralized either afaik, there seem to be a handful of vendors such as MS and Sun. Not sure if anyone can setup a vendor but it doesn't seem to be that way. Wouldn't want Microsoft to decide it doesn't want to play nice with Sun's CardSpace after it gets a majority of the users vis MSN or something, and I prefer to have the option to host my own OpenID rather than simply hand over my personal details to large corporations.

      "Because it is token-agnostic, CardSpace does not compete directly with other Internet identity architectures like OpenID and Liberty Alliance. In some ways the three approaches to identity can be seen as complementary." - http://en.wikipedia.org/wiki/CardSpace

      Why is it that every time something about OpenID gets posted theres immediately someone that posts that people should use CardSpace without giving any valid reasons. Paid astroturfer much?
    • tapo, on 10/12/2007, -1/+9How is it too complicated? How is tapo.digg.com any more difficult than tapo@digg.com?
    • palmer, on 10/12/2007, -3/+20The use of an E-mail address as an ID is moronic. This growing trend is the hallmark of an ignorant site.

      Most people today have more than one E-mail address. E-mail addresses, for many people, change over time with things like ISP changes or cable-company mergers. And who remembers which E-mail address they used for which Web site, months or years later? And if you have half a brain, you're not going to give a site your real E-mail address; you're going to set up a spam-bucket account at Hotmail or somewhere.

      Any Web site that has a log-in-based system NEEDS TO LET THE USER SET UP A LEGITIMATE ID. That way, people can use the same ID everywhere, and just vary their passwords as they see fit.

      This E-mail-address crap has to stop.
    • solarpowered, on 10/12/2007, -0/+2You'd use CardSpace for a secure log-in to your OpenID "identity provider".

      It's actually a really good idea... it closes the biggest loophole in OpneID, someone spoofing your OpenID "identity provider".

      (CardSpace can and will have open source implementations, I wrote one already for Apache, see: http://www.sourceid.org/download/list)

    • expert01, on 10/12/2007, -0/+1Thank you solarpowered. CardSpace supports OpenID and takes some of the headache away from the user.
  • Unclebob1992, on 10/12/2007, -3/+4Thanks, great explanation.
    • Rikkochet, on 10/12/2007, -2/+23Agreed. I also, enjoyed the, author's excessive and incorrect, use of most, commas.
  • rockhauler, on 10/12/2007, -20/+7Sorry,
    I won't 'bury' you, but this article is spam.
    You remember Microsoft Passport? How about OpenSSL, and public/private key 'certificates', and signing authority.
    In the article cited, nothing is said about how it works, what it is, and who guarantees the id?
    No I didn't go to openid.net, and yes I noticed the popunder ad you served me, when I read your article.
    Have a nice day.
    • geekitechture, on 10/12/2007, -10/+3What an obnoxious prick you are!

      He writes in the article that you claim explains nothing and is therefore "spam:"

      "OpenID is a decentralized identity system, which allows you to create one single account, and use it all across the web.
      So what do I mean when I say 'decentralized identity'? Basically, you can host your identity on any server that you choose, whether you put up your own or use alternatives, like myopenid.com. This means that if you want to keep your information away from individual websites, you can use your OpenID account and login safely without giving your information away."

      What else do you need to understand this -- a diagram? Should someone draw a flow chart for you of signing in to 10 different websites with one ID created just for that purpose?

      BTW if you were blocking ads with FF and/or AdBlock/Plus and/or FilterSetG you wouldn't see any ads, genius.
    • palmer, on 10/12/2007, -3/+10By the way, an id is not the same thing as an ID.

      That's not even spelling, dude. All you have to do is hit the Shift key.
  • MadNuke, on 10/12/2007, -28/+2Isn't digg.com for people who already KNOW this stuff?

    Guess not...
    • cesclaveria, on 10/12/2007, -1/+14No, digg is for the kind of people who like to discuss this kind of topic.

      Well, after version 3 digg is for anyone who want to share some information and discuss it.
    • bhavi, on 10/12/2007, -1/+13Digg is also for people who WANT to know this kind of stuff
  • cyoung, on 10/12/2007, -2/+15I hate to be a grammar nazi... but if commas could be shot from a machine gun, this article would have been the unfortunate result. Sorry, but reading this was painful.
    • qwonking, on 10/12/2007, -2/+12Reading, this, was, like, drowning, in, quicksand, made, of, commas, quick-comma, seriously,
    • Jaq524, on 10/12/2007, -2/+10"This is one of two reasons, why OpenID is booming, right now."
      "Having a service, such as this, where you can create your single account, and use it everywhere has been a hard thing to accomplish, or at least make successful."
      "Getting large, well known sites, to implement the OpenID system hasn't been the easiest task, but now there are companies jumping on the bandwagon."

      All, I can, say is, wow.
    • jorazzle, on 10/12/2007, -0/+10it's like william shatner, digg style

      "pic, tures, or, it didn't, happen"
  • DeFex, on 10/12/2007, -2/+2how would a kickback be delivered using this system? without kickback government would never use it.
  • haxorjoe, on 10/12/2007, -1/+14This is going to be a stupid question, but can I like download this and run it on my own server so I can use my own domain name? *gets ready to be buried*
    • malkir, on 10/12/2007, -2/+8Yes, you can.
    • haxorjoe, on 10/12/2007, -2/+10Incase anyone else wants to know: http://openid.net/wiki/index.php/Run_your_own_identity_server
    • sagemane, on 10/12/2007, -1/+4You don't actually need to run your own identity server to use your own domain name as your OpenID, you can just add
    • eridius, on 10/12/2007, -1/+4just add the appropriate HTML tags to your front page to point at your external OpenID provider (e.x. myopenid.com).
    • cecil_t, on 10/12/2007, -0/+2That was weird, eridius finished sagemane's sentence. Here is the whole thing:

      "You don't actually need to run your own identity server to use your own domain name as your OpenID, you can just add the appropriate HTML tags to your front page to point at your external OpenID provider (e.x. myopenid.com)."

      This is called using a delegate server.
  • milomilomilo, on 10/12/2007, -3/+3on one hand I love the idea because it would make things much more convenient as I visit quite a few of the big sites. Yet, on the other side, I think this a huge security risk. I hate the fact that at work I have to store some of my site passwords on my local network, I cant imagine setting up my accounts and passwords and than giving my info to a third party.

    I'm tossed up for now, I might try it sometime if I learn a bit more about it.
    • eridius, on 10/12/2007, -1/+9You're not storing passwords on OpenID. The way this works is you have ONE password, and only your OpenID provider has that password (if you run your own OpenID server then nobody has it except you). What happens is the OpenID client (in this case the web app you're trying to log into) gives you a form where you enter your ID (in general, your domain, but there's something called i-names and i-numbers). It then queries the URL constructed from that ID to find the appropriate OpenID information (basically, the location of your OpenID provider). It sends your browser a redirect request to go to a URL on that provider (with the client's information encoded in the query). The provider then checks if you've authorized that site. If you haven't, it asks you to do so, as well as acknowledge which pieces of information (say, Nickname, or Full Name, or timezone) the client wants access to. Once you've authorized it (this is the only place you enter your password, and you're sending it to the OpenID server), the server redirects you back to the client, with the data the client wants encoded. This data is signed in some fashion (I don't know the specifics, but I assume it's verified against information the client independently received when requesting the OpenID Yadis document [part of the sequence of events done when checking for the OpenID server at the beginning of this transaction]), and includes the pieces of information requested by the client. When the client checks the signed data and finds it is valid, it knows 3 things:

      1) You own the given domain name (or i-name/i-number), or at the very least the OpenID account associated with that domain (or i-name/i-number)
      2) You've authorized the client on your OpenID server
      3) Any of the information it requested from the OpenID server.

      The first piece of information means that your OpenID identification is sufficient to uniquely identify yourself with the client app, which means it serves as the equivalent of your username. The second piece means you've legitimately signed into the OpenID server, which means you control that name, which means the client doesn't need to ask you for a separate password since you've already demonstrated control over the unique identifier. And the third piece means you can store certain information (e.g. nickname, full name, timezone) in one central location and clients can automatically update for changes the next time you log in.

      So basically, this is a good thing from your point of view, as well as application developers. You only need to know one password, and you only ever give it to one site (and ideally this happens over https - I don't know if that's a requirement for OpenID, but I do know that myopenid.com uses https for this process). And application developers don't need to worry about dealing with user passwords, or rolling their own authentication process. In addition, libraries are available for various languages and frameworks to support OpenID.

      As an idea of how neat it is, I'm developing a web application right now (as a project for class in school) written in Ruby on Rails. I looked at 2 different login generators, before it occurred to me to check OpenID. I grabbed the openid-generator gem, ran it, and made a few small tweaks to the generated code (mostly to request a few pieces of info from the OpenID server) and voilá, users could log in without me having to care one iota about password strength or security or email verification.
    • eridius, on 10/12/2007, -1/+3...wtf... my comment is 1.5 times the length of the original article...
  • brindon, on 10/12/2007, -2/+5HAHAHAHA...Priceless. I hit "login" and was presented with this:



    * warning: parse_url(http://) [function.parse-url]: Unable to parse url in /home/centerne/public_html/modules/contrib/openid/openid.module on line 187.
    * OpenID Association failed

    • preved, on 10/12/2007, -1/+5almost the same:

      * warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/centerne/public_html/includes/common.inc on line 371.
      * warning: fsockopen() [function.fsockopen]: unable to connect to abc:80 (Unknown error) in /home/centerne/public_html/includes/common.inc on line 371.
      * OpenID Association failed

  • bbear, on 10/12/2007, -4/+7How is this different from Microsoft Passport (which failed horribly)? None of these articles explains this.
    • haxorjoe, on 10/12/2007, -3/+12What part of "MIcrosoft" did you not understand?
    • Devilboy, on 10/12/2007, -1/+3Its similar to Passport but you can choose who you trust - with Passport you had to trust Microsoft.
  • cyberbrent, on 10/12/2007, -0/+1Check out CLAIMID http://www.claimid.com Leo and Amber have discussed it abit and it really is a perfect example of OPENID in use.
  • cyberbrent, on 10/12/2007, -1/+0Net @ Nite link to the Podcast they talk about CLAIMID / OPENID http://twit.podzinger.com/results.jsp?filter=0&q=claimid&s=PZSID_pods_pod3_2_5_0004%3Bnet%40nite&col=en-all-pod_leo-ep
  • antechinus, on 10/12/2007, -1/+5What happens if one's OpenID is compromised in some way? For example someone packet sniffs your login at a WiFi hotspot.
    • stephenwq, on 10/12/2007, -2/+2Its just like anything else being sniffed?
    • eridius, on 10/12/2007, -1/+3You should be using https for OpenID authentication. I don't know if it's a requirement of the OpenID process, but any reasonable OpenID provider should allow this (I know myopenid.com does).
  • billyb93, on 10/12/2007, -4/+2Isn't this the same thing Microsoft tried to do a few years ago with their Passport program that never really took off?
  • viz78, on 10/12/2007, -2/+5Is it me or doesnt anybody get the security hole this represents??
    Now crackers need to crack only one id and get access to anything and everything!
    Why is this more secure???
    • diggalf, on 10/12/2007, -3/+5I agree. This is crazy. Of the list of sites using OpenID, I recognise only a couple. This is a dead duck and not at all what the article is touting it as being.

      Not only could someone potentially gain access to multiple accounts through a flaw in the core account, but what about agencies that want to investigate an individual? Not that I've got anything to hide, but I couldn't imagine sacrificing so much control over my identity.

      And that's the irony: this is being touted as a system giving more control over one's identity, when in reality it does exactly the opposite.
    • stnever, on 10/12/2007, -2/+1This is a nice concept, one which I'd like to see working well, but I must agree I share your question. Perhaps it needs to get more attention and thought before it's widely adopted -- currently at the peak of expectations ;)

      On the topic of security, probably those openId providers will assure strong authentication (https, digital signing and the like) to avoid crackers. Still, in the beginning, people will probably only use openId for sites which are not "critical" to them. For example, I wouldn't use one for banking, e-commerce, gmail or orkut/myspace; but I might as well use it for Flickr, Netvibes, Digg, Pandora, Youtube, etc... if someone gets ahold of my details for those sites I will be angry but it's not a big deal.

      Let's wait and see =)
    • Kontra8, on 10/12/2007, -2/+3Agreed.

      Calling this decentralized system is somewhat misleading since from a user perspective its really centralized with all your info at one place. Being able to run your own Open-ID server sounds comforting but not much.

      Whoever would get into your Open ID account have your complete on line identity ready for use/abuse. Think about phishing attacks.

      Also what about losing anonymity? I don't want one service to know what other service I'm using. There's a potential for that too.
    • Devilboy, on 10/12/2007, -2/+6Ok, hang on there one minute, you guys are not thinking:

      Firstly, you don't need to give any personal info to OpenID - just make up a name and give out your gmail address.

      Secondly, if you're worried about security you can have EXCELLENT security across ALL sites supporting OpenID. Hackers can't hack into your Wordpress blog and get your password for other sites - they have to get your OpenID password. Thus you can setup or buy a highly secure two-factor OpenID service. For example, you could get an OpenID providor that sends you an SMS every time you log in, and ask you to enter the SMS code into OpenID. Thus an attacker must get both your password, and your phone to log into your accounts.

      And remember, you don't have to use the same openid for everything, you can have two or three with various levels of personal details.

      And lastly, phising attacks will be much harder, since there will be thousands of OpenID suppliers out there and the phisers will not be able to emulate them all.
    • Chewie67, on 10/12/2007, -3/+4Agreed.

      Also, what's the difference between handing over my sensative information to Digg.com or MyOpenID.com? Just because it says "OpenID" in their domain name doesn't automatically make them a trustworthy company. Who knows how secure this OpenID code really is. Who knows if the company is really doing what they say they are when you hit SUBMIT on the signup form.

      OpenID is a crock as far as I can tell.
    • crispytown, on 10/12/2007, -3/+4I have been saying this from the start... OpenID is not secure. And it will fail. Look at the history. Only 3 companies signed on the MS Passport service. And that was/still is running. But under the Live group. No one liked passport for the security reasons. And OpenID will fail just like Passport. Google wont use it because they are working on something themselves. MS already has one from the 90's, and Yahoo has there own signal login system. Only people that might use this are small sites that wont see much traffic. I for one will never get a OpenID login just like I don't have a passport account either.

      OpenID is just a different MS Passport. But this time sense MS didn't make it.... it must be a good idea right? LOL
    • GavinZac, on 10/12/2007, -0/+1on the other hand, theres only one possibility. using multiple log-ins means more chances of being correct for the cracker.
  • dilema, on 10/12/2007, -2/+3I feel this way about OpenID. Agree? Disagree?
    http://jyte.com/cl/openid-is-a-great-idea-but-like-other-decentralised-non-owned-protocols-it-is-subject-to-fragmentation-and-possibly-incompatibility-with-itself#new_comment
  • zazzalicious, on 10/12/2007, -1/+4OpenID is horribly open to phishing attacks.

    http://www.links.org/?p=187

    http://simonwillison.net/2007/Jan/19/phishing/

    It's would be great if browser developers implemented something similar to ssh known_hosts so you get an alert if some tries to impersonate your OpenID provider otherwise people will be happily handing over their login details to they know not who.

    Without this, I wouldn't touch OpenID with a barge pole. And I'd suggest you tell everyone you know not to either.

    Apart from the ease of constructing a phishing attack, the rewards for he phisher are multiplied as they get access to many many sites rather than just one.

    • rebrad, on 10/12/2007, -0/+3zazzalicious, you are right on the money.
      The FBI would like to thank the proponents of OpenID for doing the job for them that they couldn't do.
  • zazzalicious, on 10/12/2007, -0/+2@devilboy:
    "Thus you can setup or buy a highly secure two-factor OpenID service. For example, you could get an OpenID providor that sends you an SMS every time you log in, and ask you to enter the SMS code into OpenID. Thus an attacker must get both your password, and your phone to log into your accounts."

    I thought this was supposed to be 'easy to use' for the general consumer? Doesn't sound cheap either...

    Also, OpenID works by having the site you’re logging in to send you to your provider, so the phishing site will know your identity provider too..

    So I'd say.. "Ok, hang on there one minute Devilboy, you are not thinking..."

  • pudding_boy, on 10/12/2007, -2/+0Could someone please explain how OpenID provides any level of authentication? Once someone decides to grant a given site access to their OpenID, what prevents someone else from giving that ID as their login on the same site?

    For example: right now, everyone knows Kevin posts as kevinrose on digg.com. I could *try* to login as kevinrose but I would have to know his password. No dice. But if I know kevin is kevinrose.id.digg.com, and he has already posted under that ID (giving his password the first time), what prevents me from typing kevinrose.id.digg.com in the OpenID login box and posting as him? Does OpenID request a password every time? It doesn't seem like it.

    To me, from reading the OpenID website, it seems more like OpenID serves as a business card, not as a Passport clone. I do not see where it provides any proof that I am who I say I am. Am I wrong?
  • osuguy, on 10/12/2007, -0/+1Cardspace = Microsoft which is now supporting OpenID to use WITH Cardspace. They are integrating OpenID into Cardspace. I wish you people would look into what you say before you comment. The word "idiots" comes to mind. (Or ignorant).. Sorry, but it's the truth.
    • solarpowered, on 10/12/2007, -0/+1"Cardspace = Microsoft" is just not true.

      Feel free to write your own CardSpace client. (You might even make some bank, I do).

      CardSpace doesn't really care what kind of security tokens are exchanged.

      It's an open spec, for all to read and use *if they want*. Please tell me that you've read the spec.

      CardSpace is actually well thought out, and provides "strong authentication".

      And... without something like CardSpace's strong authentication, OpenID is limited to use with web resources that have little value (like signing on to a blog to comment, but not for banking).

    • cecil_t, on 10/12/2007, -0/+1'"Cardspace = Microsoft" is just not true.'
      Yes, it is.

      "It's an open spec"
      No, it's not.

      Microsoft has decided to offer the Open Specification Promise (OSP) for the _Web services protocols_ that support CardSpace in particular, and the InfoCards architecture in general. The InfoCard/CardSpace specs are _not_ on the list. Only the web services specs underlying CardSpace are covered.

      "And... without something like CardSpace's strong authentication, OpenID is limited to use with web resources that have little value"
      Yes, they are two different systems for two different purposes.

      "They are integrating OpenID into Cardspace."
      Sort of, depending on who you mean by "they" - it's a consortium of a number of companies including Microsoft, but it's not Microsoft's initiative to do so. And they are working on it, not "now supporting" it.
  • PhantomTrain, on 10/12/2007, -1/+1Blah. Stealing the opening lines from the article is lame.
    Is a quick summary too much to ask?
  • Profitsee, on 10/12/2007, -0/+0To address the security issues with OpenID, why not have the service check to make sure the request is coming from MAC id of the originating computer making the request? The downside is having your computer stolen, but the stealer would also have to know your OpenID url.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.