If you havent used OpenID yet you probably will soon. This new open standard for identity exchange on the Internet is picking up support from all over the place, and appears unstoppable in the blogosphere.
AOL is the latest large company to announce support for OpenID, and its a smart move for them, making your AOL login useful wherever you go. Before that we had Microsoft and Symantec announcing support.
Microsofts support looks serious, especially in as much as its implementation is a good example of how to address security deficiencies in OpenID. And the deficiencies in the early versions of OpenID are serious.
OpenID is an identification system that allows anyone with a Web server to be an identity provider. The identities are URLs, like “johndoe.openid.net.” When logging a user in a site, the RP (Relying Party) redirects the user and their openid URL to the site that provided it (openid.net in the example). That site, the IP or Identity Provider (also known some places as an OP, although Im not sure why), authenticates the user and returns an authentication token to the RP. If the two have never communicated before, there are some additional communications at this point. Here is the official list of OpenID identity providers and here is a list of services that support OpenID.
The official announcement from Microsoft was joined by JanRain (a software company providing OpenID solutions, including popular libraries), Sxip (who has made contributions to the OpenID 2.0 specification to improve extensibility) and VeriSign, an early pioneer in OpenID and an identity provider themselves.
The companies announced their intention to collaborate on integrating OpenID into Windows CardSpace. CardSpace, like OpenID, is an identity metasystem based on SOAP (Simple Object Access Protocol, an XML-based standard for procedure calls), XML and Web service standards including WS-Security, WS-Trust, WS-MetadataExchange, and WS-SecurityPolicy. CardSpace also includes a GUI to allow users to choose among multiple identities, known as Information Cards.
The official announcement made several points:
- OpenID will be extended to allow relying parties to request and be informed of the use of phishing-resistant credentials.
- Microsoft recognized the growth of the OpenID community and the important role played by that community in the development of an Internet identity infrastructure. Microsoft agreed to work with the OpenID community in this development and on authentication and anti-phishing.
- JanRain, Sxip and VeriSign recognized that CardSpace provides significant anti-phishing, privacy and convenience benefits to users.
- JanRain and Sxip will add support for the Information Cards to their OpenID code bases. This will bring the same support to blogs and other Web sites that use their popular libraries. Although, as the CEO of JanRain points out, they will not require such support from their users.
- Microsoft plans to support OpenID in future Identity server products.
- The four companies will work together to create a “Using Information Cards with OpenID” profile that will make it possible for other developers and service providers to take advantage of these technology advancements.
Its important to note, as has Brad Fitzpatrick of LiveJournal, the inventor of OpenID, that OpenID does not specify an authentication method. You dont need to use passwords or thumbprints or any other specific method. Fitzpatrick cites examples hes seen using Kerberos, voice prints and numerous other obscure Internet authentication standards.
This flexibility undoubtedly engendered confidence in Microsoft and other vendors who are moving to support OpenID. Authentication is not the same as trust. A service provider might choose to trust users authenticated through biometrics more than those authenticated through passwords.
Microsoft, for instance, has long advocated the use of smart cards and hopes to drive their adoption with the launch of its Identity Lifecycle Manager 2007, introduced at RSA. The software will make it easier for users to integrate strong authentication technologies into Microsoft networks, and you can expect smart card support through OpenID as well.
Heres the short form: You go to a malicious site and it asks you to log in with your OpenID. Instead of redirecting you to the real IP for your OpenID, it redirects you to a fake version of that site (perhaps employing phish-enabling vulnerabilities such as these) which asks you for your password, and you give it.
There are many ways such attacks could be fought, and they are discussed on the OpenID.net wiki on the subject. One simple idea is to do what VeriSign does on their IP site, which is to ask the user for a graphic that they then display whenever the user logs in. This technique, identical to Bank of Americas SiteKey, proves to the user that the VeriSign site is what it claims to be, but it still puts the onus on the user to recognize that the graphic is missing when it is.
Ive wondered how far you could go with OpenID. Its one thing to use it for blogs and social networking sites, but could Amazon.com or your bank ever allow you to log on with an OpenID? We are, at the very least, a long way from that. But perhaps it could happen.
One way I could imagine it working is for sites to discriminate between OpenID IPs. They might trust AOL, for example, but not openid.ispamyou.net. In fact, OpenID might turn into a way for sites to require even stronger authentication than they now have and outsource the process.
In the meantime, OpenID is just a convenience, both for users and for site administrators who dont need to be in the business of managing a lot of unnecessary sensitive information.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer