Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    The OpenID Era Opens

    By
    Larry Seltzer
    -
    February 20, 2007
    Share
    Facebook
    Twitter
    Linkedin

      If you havent used OpenID yet you probably will soon. This new open standard for identity exchange on the Internet is picking up support from all over the place, and appears unstoppable in the blogosphere.

      AOL is the latest large company to announce support for OpenID, and its a smart move for them, making your AOL login useful wherever you go. Before that we had Microsoft and Symantec announcing support.

      Microsofts support looks serious, especially in as much as its implementation is a good example of how to address security deficiencies in OpenID. And the deficiencies in the early versions of OpenID are serious.

      OpenID is an identification system that allows anyone with a Web server to be an identity provider. The identities are URLs, like “johndoe.openid.net.” When logging a user in a site, the RP (Relying Party) redirects the user and their openid URL to the site that provided it (openid.net in the example). That site, the IP or Identity Provider (also known some places as an OP, although Im not sure why), authenticates the user and returns an authentication token to the RP. If the two have never communicated before, there are some additional communications at this point. Here is the official list of OpenID identity providers and here is a list of services that support OpenID.

      The official announcement from Microsoft was joined by JanRain (a software company providing OpenID solutions, including popular libraries), Sxip (who has made contributions to the OpenID 2.0 specification to improve extensibility) and VeriSign, an early pioneer in OpenID and an identity provider themselves.

      The companies announced their intention to collaborate on integrating OpenID into Windows CardSpace. CardSpace, like OpenID, is an identity metasystem based on SOAP (Simple Object Access Protocol, an XML-based standard for procedure calls), XML and Web service standards including WS-Security, WS-Trust, WS-MetadataExchange, and WS-SecurityPolicy. CardSpace also includes a GUI to allow users to choose among multiple identities, known as Information Cards.

      The official announcement made several points:

      • OpenID will be extended to allow relying parties to request and be informed of the use of phishing-resistant credentials.
      • Microsoft recognized the growth of the OpenID community and the important role played by that community in the development of an Internet identity infrastructure. Microsoft agreed to work with the OpenID community in this development and on authentication and anti-phishing.
      • JanRain, Sxip and VeriSign recognized that CardSpace provides significant anti-phishing, privacy and convenience benefits to users.
      • JanRain and Sxip will add support for the Information Cards to their OpenID code bases. This will bring the same support to blogs and other Web sites that use their popular libraries. Although, as the CEO of JanRain points out, they will not require such support from their users.
      • Microsoft plans to support OpenID in future Identity server products.
      • The four companies will work together to create a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.

      Next page: Authentication vs. Trust

      Authentication vs


      . Trust”>

      Its important to note, as has Brad Fitzpatrick of LiveJournal, the inventor of OpenID, that OpenID does not specify an authentication method. You dont need to use passwords or thumbprints or any other specific method. Fitzpatrick cites examples hes seen using Kerberos, voice prints and numerous other obscure Internet authentication standards.

      This flexibility undoubtedly engendered confidence in Microsoft and other vendors who are moving to support OpenID. Authentication is not the same as trust. A service provider might choose to trust users authenticated through biometrics more than those authenticated through passwords.

      Microsoft, for instance, has long advocated the use of smart cards and hopes to drive their adoption with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. The software will make it easier for users to integrate strong authentication technologies into Microsoft networks, and you can expect smart card support through OpenID as well.

      And stronger authentication will definitely be necessary. The OpenID community is discussing the substantial potential for phishing of IDs. See this blog and this wiki for discussions.

      Heres the short form: You go to a malicious site and it asks you to log in with your OpenID. Instead of redirecting you to the real IP for your OpenID, it redirects you to a fake version of that site (perhaps employing phish-enabling vulnerabilities such as these) which asks you for your password, and you give it.

      There are many ways such attacks could be fought, and they are discussed on the OpenID.net wiki on the subject. One simple idea is to do what VeriSign does on their IP site, which is to ask the user for a graphic that they then display whenever the user logs in. This technique, identical to Bank of Americas SiteKey, proves to the user that the VeriSign site is what it claims to be, but it still puts the onus on the user to recognize that the graphic is missing when it is.

      Ive wondered how far you could go with OpenID. Its one thing to use it for blogs and social networking sites, but could Amazon.com or your bank ever allow you to log on with an OpenID? We are, at the very least, a long way from that. But perhaps it could happen.

      /zimages/4/28571.gifClick here to read about developments in Security, Telecommunications and Information Infrastructure in the Intelligent Infrastructure Services Zone.

      One way I could imagine it working is for sites to discriminate between OpenID IPs. They might trust AOL, for example, but not openid.ispamyou.net. In fact, OpenID might turn into a way for sites to require even stronger authentication than they now have and outsource the process.

      In the meantime, OpenID is just a convenience, both for users and for site administrators who dont need to be in the business of managing a lot of unnecessary sensitive information.

      Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      More from Larry Seltzer

      Larry Seltzer
      Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×