Comments on: OpenID deserves to die http://www.matusiak.eu/numerodix/blog/index.php/2008/05/27/openid-deserves-to-die/ A blog about nothing Tue, 31 Jan 2012 20:14:03 -0500 http://wordpress.org/?v=2.8.6 hourly 1 By: Samat Jain http://www.matusiak.eu/numerodix/blog/index.php/2008/05/27/openid-deserves-to-die/#comment-116020 Samat Jain Sat, 24 Oct 2009 10:21:54 +0000 http://www.matusiak.eu/numerodix/blog/?p=1033#comment-116020 There are a lot of problems with OpenID, but I'm not following the ones you make. So, you said the concept died when you needed to put faith into a service provided by some third party provider, or a service you have to provide yourself. I don't see how this is different than anything else on the Internet... particularly e-mail. Most people use a 3rd party provider for e-mail, and those who do not want to trust those providers (including myself) host their entire e-mail stack themselves. If you're comfortable with the way e-mail works on the Internet, then you should be comfortable with the way OpenID works. (This touches a legitimate OpenID problem: it does authentication, not identification, so it does nothing to prevent abuse from spammers. That's another topic, however). I don't know about you, but I have a lot of logins. With OpenID, I only need to remember my authentication with my OpenID provider, something that I would use so frequently that it'd be difficult to forget. Because it's centralized and I only have one to remember, I can change also it's credentials more often and do all those good security practices that few ever actually do. Now, onto the real benefit of OpenID: it's a framework. It puts a lot of power in the hands of the provider, but that's the point. That provider (which you can control) can perform any kind of whacked-out challenge to verify you imaginable. Some things that exist today (or could exist): Verify a user by some second factor, such as an RSA SecurID token, or a browser certificate (done by Verisign's PIP). Verify a user by a key file stored on their computer, such as their GPG key. Provider could leverage something like FireGPG and GpgAuth. Verify a user by their fingerprint or some other biometric. Provider could interact with some other software controlling another authentication device. So, the point is, OpenID is a lot better than anything else we're doing now, and it enables sophistication and better security. Yes, all of the above could be done with some kind of fat client (i.e. in-browser) password manager, but guess what, we've had decades to do it and no one has come up with a good solution (and it's still not secure---the weakest link is still the password!). There are a lot of problems with OpenID, but I’m not following the ones you make.

So, you said the concept died when you needed to put faith into a service provided by some third party provider, or a service you have to provide yourself. I don’t see how this is different than anything else on the Internet… particularly e-mail. Most people use a 3rd party provider for e-mail, and those who do not want to trust those providers (including myself) host their entire e-mail stack themselves. If you’re comfortable with the way e-mail works on the Internet, then you should be comfortable with the way OpenID works. (This touches a legitimate OpenID problem: it does authentication, not identification, so it does nothing to prevent abuse from spammers. That’s another topic, however).

I don’t know about you, but I have a lot of logins. With OpenID, I only need to remember my authentication with my OpenID provider, something that I would use so frequently that it’d be difficult to forget. Because it’s centralized and I only have one to remember, I can change also it’s credentials more often and do all those good security practices that few ever actually do.

Now, onto the real benefit of OpenID: it’s a framework. It puts a lot of power in the hands of the provider, but that’s the point. That provider (which you can control) can perform any kind of whacked-out challenge to verify you imaginable. Some things that exist today (or could exist):

Verify a user by some second factor, such as an RSA SecurID token, or a browser certificate (done by Verisign’s PIP).

Verify a user by a key file stored on their computer, such as their GPG key. Provider could leverage something like FireGPG and GpgAuth.

Verify a user by their fingerprint or some other biometric. Provider could interact with some other software controlling another authentication device.

So, the point is, OpenID is a lot better than anything else we’re doing now, and it enables sophistication and better security.

Yes, all of the above could be done with some kind of fat client (i.e. in-browser) password manager, but guess what, we’ve had decades to do it and no one has come up with a good solution (and it’s still not secure—the weakest link is still the password!).

]]> By: J http://www.matusiak.eu/numerodix/blog/index.php/2008/05/27/openid-deserves-to-die/#comment-88571 J Mon, 22 Dec 2008 18:48:37 +0000 http://www.matusiak.eu/numerodix/blog/?p=1033#comment-88571 I like the idea of OpenID. Just in practice it is not working so well. I like the idea of OpenID. Just in practice it is not working so well.

]]> By: Dirk R. Gently http://www.matusiak.eu/numerodix/blog/index.php/2008/05/27/openid-deserves-to-die/#comment-58950 Dirk R. Gently Thu, 29 May 2008 15:09:58 +0000 http://www.matusiak.eu/numerodix/blog/?p=1033#comment-58950 I also have problems with openid. First I think it needs to be on a centralized server. Yeah, you can use your own but how many people besides us geeks do. Also I could never trust the security. Centralized login/passwords are what it's all about and it's a good idea but how secure are they? If you need OpenID cause you use multiple pc's - get a laptop! I also have problems with openid. First I think it needs to be on a centralized server. Yeah, you can use your own but how many people besides us geeks do. Also I could never trust the security. Centralized login/passwords are what it’s all about and it’s a good idea but how secure are they?

If you need OpenID cause you use multiple pc’s – get a laptop!

]]>