Kevin Rose at FOWA: DIGG Adopts OpenID

Great! I’ve been hoping it will adopt OpenID.

I spent 15mins on OpenID’s site. At the end of it, I still had no clear idea about its purpose, why I should use it, what openID isn’t etc.

I hope openID guys work on explaining this in a more layman’s language.

-Zaid

Looks like OpenID is here to stay. Interestingly, the news shows how much authority and influence Digg has these days.

Zaid - think of it this way - one set of login credentials for every site that supports it.

It definitely looks like OpenID is the winner. I’m really looking forward to a time where I can use a single sign on everywhere I need to login across the internet.

Question though: Does/will OpenID support payment information so it could be used at places like Amazon/Bestbuy.com/etc to purchase things online? At the moment I can figure out how to enter anything in besides basic contact and demographic information.

Any plans to implement this for your comments Arrington?

Zaid: check out Simon Willison’s IDProxy.net. It’s a super-simple way to create an OpenID, which can live there or on the URL of your choice.

I just hope openid becomes an option and not a standard. Just concerned about the privacy issues. Sites may ultimately limit which providers that they want to allow.

Also, isn’t the underlying technology the same as Microsoft Passport for which they have a patent for. The only difference being that the auth providers are distributed.

We got the story too Mike: http://www.vecosys.com/2007/02.....t-open-id/

I notice you were sitting next to Kevin just before he went on stage - nice work

Naturally. I finally sign up for a Digg account last week, and now they decide to go with OpenID. Pfft. Oh well. All’s good. It’s just frustrating. I hate having to sign up somewhere with a new ID/password, and so I held off for over a year ’cause I just didn’t want to bother. I finally do, and then they say “no, you won’t have to.” Heh. I’m happy about it, but it’s just so Murphy’s Law that I can’t believe it.

Bill: OpenID Supports extensions, so that the authentication itself does not require any other information (Even basic registration information)

So, to answer your question:
There aren’t any OpenID Servers (That I know of) that support payment information, but it’s totally possible, and the protocol was designed for that sort of integration.

Digg supporting openID will really help the little guys (Like Me) who jumped on board..

Very Good News..

openid is a security disaster just waiting to happen. bad call, kevin.

Matthew,

Why do you call OpenID a “security disaster”? I don’t see it as any less secure than any of the other usual auth tools.

Wikipedia announced support last summer, but it hasn’t yet been implemented (they’re busy implementing a single sign-on solution internally for their 600 wikis first).

Verisign has a free OpenID server now:
http://pip.verisignlabs.com/

So, when is Techcrunch going to support it?

What about security issues? This will provide for a centralized location of all users’ information. This would be a gold mine for hackers. Although, if they can implement and maintain a secure network it would be very convenient, but they will always be under the cross hairs of hackers.

Who knows maybe we should rethink this one..

why does digg need id ?
sitting along ms and aol - information wants to be free

byebye

From a user perspective, I’d say that OpenID would be the worst thing possible… sharing my account across all these sites… if that’s what they’re in fact trying to do? (the description leaves much info to be desired). *I’ll pass on that, thanks*

From a developer perspective, this could help solve some cross-platform, multi-sign-on (server-level authentication, not application-level authentication) issues that I have between web applications, although I don’t know if that will actually be the solution.

Interesting to see where this goes though…

And I need OpenID for what exactly?

open id uses dns as part of it’s authentication mechanism. dns spoofing is simple. all i have to do is spoof a few thousand dns responses to the right caching dns server and i can authenticate myself as you. that’s why i call it a security disaster. google “openid security” and you’ll come across a lot of unanswered questions.

I still don’t see the value prop of OpenID for the user. But this thing surely is manna from heaven for website owners, businesses, and thieves.

When you consider the sheer numbers of single password folks and post-it-on-their-monitor passworders, OpenID definitely has a big audience out there. Sign ‘em up!

However, I think if a single identity was ever in history thought to be a good idea in practice, my parents would have named me Stanley Miller2020139207399302 just so their boy wouldn’t be confused with the million other S. Millers out there.

-Stan

Well I guess this is good news for OpenID but they will now have to take huge step forward with the whole security concerns behind their authentication process.

I think it was asked above but why not implement OpenID for commenting on your blog? Good place to show it being a winner would be here as well as allowing site commenters a way to see it in action

For reference, open source OpenID blog commenting plug-ins available:

Moveable Type: http://markpasc.org/code/mt/openid_comments/
Wordpress: http://verselogic.net/projects.....id-plugin/

Consider the flip side: Every site you (and by you, I mean the average user) registers for get’s your email address, and password (don’t kid yourself that all of them use best practices to store, and protect that data). Techcrunch readers might all use a different password for every site they register for, but most people don’t. I’d venture to guess that a majority of internet users use the same password for everything. OpenID allows you to use web sites with out having to give up your password (and in some cases your email address)

I don’t think many people consider the other side of the coin, people are currently trusting every website that they register at with their password, and email address, which is enough to get total access to most people online identity.

You may say “single point of failure” but what about saying “Single Point of exposure”?

Justin - OpenID consumers (sites that you sign in to) will not be getting your password. The only place that stores your password is your OpenID provider.

And as for email - my OpenID provider allows me the option of choosing which personal information I feel comfortable sharing with OpenID consumers. At this stage, I do not share my email address, but if I feel comfortable sharing my email address with a site (such as digg) I can set up a trust profile with my OpenID provider.

Trumpi : ….??? Re-Read my comment. It is supporting OpenID, and a base reason to use OpenID.

good idea in principle, 1 login for multiple sites.. really pisses me off having 100+ user details everywhere for loads of sites..

however something like this would suit a company like verisign imo, i dont think this particular incarnation is fully developed..

but if digg adopts it i have no doubt though that all the lemmings will follow, and hence from there anyone else without one will begin slowly to notice no one using their site coss it doesnt have an openid system :/

Hi All,

There’s a Open Discussion on OPEN ID via SkypeCast going on tomorrow @ 4pm PST. It includes some people from AOL, Microsoft, and a few other people involved in OPEN ID. It’ll be an open forum so anyone can ask questions. If you’re interested in showing up, check out http://www.idcast.org (site is being put up today).

To clarify a few things I’ve been hearing on here, the concept of OPEN ID is that it’s decentralized and there will be many providers. Currently the source for most providers is open so anyone can see whats going on. It gives you a choice on controlling your identity, and more control on who sees what.

Regarding some comments i saw on Digg about security, there IS work being done on security. A lot of us are hoping to see increased security features to be come available. Bottom line is that there needs to be, and if adoption of OPEN ID is good, then there will be. Any OPEN ID provider can build on the technology, and someone WILL do it, provided theres enough reason to do so.

Either way, with some many recent providers adopting OPEN ID, its definitely something to be paid attention to. Come to the Skypecast tomorrow, ask questions. idCast.org is working to create an open forum so you guys can help shape what happens.

Hopefully I’ll see some of you there!

How long before the first breach in openID happens? I am thinking that this will invite the type of phishing and attacks that plagued the early years of AOL. I am not against the one login\password to rule them all, just being apprehensive about using it.

“Zaid - think of it this way - one set of login credentials for every site that supports it.”

thats a good and a bad thing…
they’ve always said use a different username and password for every site.

while i use the same for everyone i still would rather it be stored in multiple places than something like this. and not be used for places i never care to go to.

OpenID will be a disaster. Once one site is breached, the rest will follow.

trackback: Open ID for dummies - http://webwebusability.wordpre.....nid-rocks/

Open ID isn’t less secure than today’s “username & password” paradigm.
No option will be perfect, you always have to consider the possibility of human mistakes, but if anyone can’t see the obvious advantages of it (most of them just because they see the word OPEN up there) they are blind.

What is the benefit for becoming a provider? The ones I have seen so far are free. Do you foresee membership based openID providers?

Wow, amazing to see OpenID slammed by so many people who clearly know almost nothing about it.

1. OpenID has no central authorities, so there is no central place where everyone’s data is being collected.

2. Your username and password are only ever sent to one site, the OpenID provider that you choose. So as long as you are careful and your provider’s site is secure, it doesn’t matter if a site you use OpenID with has a security breach–it won’t let anyone log in as you via OpenID on any other site.

For example, I use OpenID to comment on LiveJournal. It doesn’t matter to me if LiveJournal is pwned tomorrow, that won’t help anyone log in as me via OpenID on any other site.

4. Since there’s no single OpenID signon page, it’s impossible to phish OpenID as a whole. Phishers will need to target all the individual OpenID providers. If I try to log into LiveJournal via OpenID and get directed to a phishing page that looks like AOL’s OpenID login instead of the provider I use, it’s going to be pretty obvious something is up.

5. If you want, you can even act as your own OpenID provider and not trust your security to anyone else. Want to be paranoid? Go ahead and set up your own OpenID provider server, and implement S/KEY authentication with one-time passwords and wrap it in SSL client certificate authentication. Phishproof.

6. You can change OpenID provider without changing your identity URL, just like you can change web host without changing your web URL. Think your provider’s security is getting shoddy? Switch provider.

7. Yes, DNS can be spoofed–but since you log in to your OpenID provider via SSL secured connection, the lack of a matching certificate ought to bring any DNS hacks to your attention. At any rate, OpenID is no less secure against DNS spoofing than any individual site login system.

8. You don’t have to have a single login/password if you don’t want. If you own your own domain, you can set up as many IDs as you want and direct them all to the same OpenID provider login/password, or you could direct each of them to a different login/password. The choice is up to you. Same goes if you have multiple domains. Want to set up a second ID exclusively for logging into porn sites so it can’t be traced to you via Google? Go ahead, OpenID allows that.

9. OpenID providers could provide a feature whereby the login password depended on the site requesting that you log in. It would kinda defeat the purpose of the system, but there’s nothing stopping anyone from doing it for themselves. Then you wouldn’t have a single password people could phish. Likewise, it would also be possible to make the provider require that you pre-designate which OpenID-using sites you want to be able to log in from.

10. OpenID has nothing to do with Microsoft Passport. Absolutely nothing.

The question one should ask is: Would a corporation allow their internal network security to be based on the OpenID standard?

Would they allow their employees to seamlessly cross intranet and Internet boundaries with their corporate OpenID to login to their favorite website? Perhaps, OpenID into the VPN?

-Stan

Ok, here is a scenario…

My info is stolen:

username: myid.myopenid.com
password: *******

US Bank also accepts openID. You get the rest…

Explain to me how that is as secure as the current method.

Is open ID like Microsoft passport, yahoo and google login, but it’s just a private organization?

want it just be an easier way for a hacker to access your name in every website that accepts it (open id)?????

“My info is stolen:

username: myid.myopenid.com
password: *******

US Bank also accepts openID. You get the rest…

Explain to me how that is as secure as the current method.”

Here’s the current method:

My info is stolen:

username: simonwillison
password: ****

US Bank also uses that same username and password. You get the rest.

If you’re concerned about this (and you should be), then use a different OpenID to log in to your bank - or even better, don’t use OpenID for your banking at all. There’s nothing wrong with having more than one OpenID, just like it’s a good idea to have more than one password.

Worked for me: You really need to read a bit more on the technology. Your example is flawed.

The same example would work just as well with standard login systems. If I know your email password, I know your password for most everything else (for most people)

Not to say there are not security issues.. but the issue your attempting to bring up makes no difference whether your using standard login or open id.

How about we make a “Worked for me” security protocol: We randomly generate user names and passwords for every site we login to, then we have it change the password every ten days. Make the password require at least ten characters, require, upper, lower case, special characters, and never use the same user name, or password twice.

The point i’m making is this:
The reason OpenID is taking off (and it is BTW) is because of the mindset of the “OLD IT” where as convenience for the user doesn’t matter, and easily remembering user names and password is “their problem” Is growing old… really old.

Rather then come up with generic, flawed examples of failure, how about you join the discussion, find solutions to problems, and stop the ivory tower building.

Or else you’ll end up like the banker who said “Banking.. On the Internet?! Your Crazy!!”

I would have called you Bill Gates.. but even he is behind this technology.

“At any rate, OpenID is no less secure against DNS spoofing than any individual site login system.”

considering that an attacker can initiate KNOWN dns queries at a KNOWN server at will, does, in fact make it less secure against dns spoofing.

sorry for the nerdy tit-for-tat folks…

@matthew (nmr. 33)

Well said. Well explained.

I still think there are a lot of people discriminating the word “open”.

Is Digg going to implement OpenID the way AOL did, which is to say allowing Digg accounts to be used to log in elsewhere but not allowing anyone to use external OpenID accounts to log in to Digg (and making airy fairy wishy washy statements about how they might implement external signon some time in the deep dark future)?

Because if that’s the case, then all these supposed supporters of OpenID are full of shit and OpenID hasn’t gotten anywhere. Michael, if you know the answer to that, please post it.

DiGG is played out… OpenID is bleh. Roboform is all I need.

I seem to remember something that came out about 5 years ago called Passport. Amazing how people can cheer on the same system 5 years later just because it isn’t owned by Microsoft.

@Brain: We opposed to passport because it was centralized. Microsoft owned everything. Now I own my id. I run my own server. Everything is controlled by me. I can share it with whom I want.

@Paul: I hope digg allows everybody like livejournal.

@Mathew good points to support OpenId

Passport was not only centralized. Ever tried to build an app that used passport authentication? As far as I knew you had to pay, big bucks.

Another use of open id. Use openId delegation method and use your profile page or about page as your open id. This will be like one profile page open to the world. And readers can see who are you.

I think openID is going to spell an end to centralized social networks like myspace. Because now, with openID, you could theoretically create social networks that spanned domains. I think pretty soon we’ll see social network features we typically associate with myspace and friendster and the like tacked onto existing personal publication frameworks like Wordpress. The one thing that has always protected myspace was the established personal networks on the site, but openID makes these connections portable.

Wait until the next crop of open source CMS systems get Open ID. There will be large uptake.

I know that Drupal will ship with Open ID in its next version, as will Media Wiki. If I’m not mistaken, WordPress will follow as will most other major systems as there is a $5000 bounty for the first 10 major projects to implement Open ID.

As a person who comments on blogs and uses Open ID, I know that I am more willing to comment if Open ID is supported because it is quick, simple and more secure that registering for every site known to man.

@ #33 Matthew: “4. Since there’s no single OpenID signon page, it’s impossible to phish OpenID as a whole.”

This is true but there will be market concentration among a few ID providers. Even if AOL is 5% of the market that means 1/20 tries will be successful spoof. For the people sending me 200 spam messages a day these are very good odds.

OpenID is a good idea and a remarkable marketing success , but delivers an extremely poor single sign on system. Site operators are jumping into OpenId as they see in it as an early delivery for the long awaited web single sign on system.

Few however dare to decipher what is really going on this side.

1. OpenId has been recently highjacked by a few tenor in identity2.0 area and microsoft. The no security guarantee OpenId paves the road for the reasonably secure microsoft CardSpace system , which is a technology as closed as what microsoft normally delivers.

http://kerpass.wordpress.com/2.....on-openid/
http://kerpass.wordpress.com/2.....g-picture/

2. OpenId allows a single public identifier to be reused accross a plurality of web sites. In the absence of reliable reputation system this make damaging an online reputation an easy target , as a rogue site simply has to put embarrassing post claiming that they have been issued under your openid. In this area , BBAuth delivers something better.

http://kerpass.wordpress.com/2.....fferences/

3. OpenId promotes the view that the way to manage online identity is to store your personal information with an identity provider. The word open helps swallowing this , have no doubt however that a few identity providers would eventually control this space (Verisign, Microsoft ?)

OpenID? The US government must be smiling. They won’t even have to pass more spy laws, now that there are sheeps out there willing to give their online lives away. What a prestige…

And by the way, I don’t think it happens by surprise. It’s a careful move towards always less privacy.

To those thinking we don’t have privacy anyway, just unplug the cable, and you’ll see you can get privacy back.

@Marc: The whole point is that which identity provider you use doesn’t matter (a big difference with Passport).

You can be your own ID provider, and still logon fine to OpenID-enabled websites.

If you’re afraid your password is the weak point, search for (or become!) a provider that provides “enhanced” security, like fingerprint readers, id cars, …
The websites you connect to won’t notice the difference..

@rickvug: I’m the MediaWiki developer who implemented OpenID for MediaWiki. It’s implemented as an extension, not in the MW core, since it depends on external libraries and that’s just the way MW dev policy works.

You can see more info on the extension here:

http://www.mediawiki.org/wiki/Extension:OpenID

I would have liked to have got the $5K bounty (for a donation to the Wikimedia Foundation) from iwantmyopenid.com, but they only give it out if you include OpenID in the core, which is kind of unlikely for most projects.

Is there a publicly traded company that has a product that competes against open ID? If not, is there one in the “sector” that would get hurt should open ID take off?

Thanks in advance to anyone who can answer these questions.

OpenID is an awesome neutral infrastructure to leverage for the good of the dev. community and to make life a whole lot easier online for consumers. Consumer generated media is exploding; nearly half of all Internet users publish content (Nielsen); 44% of internet users are content creators (Pew). 63 million people maintaining blogs, interact with photo-sharing sites, podcasts and more. Social networks and communities will increasingly be passing content feeds across, aggregate, consolidate, mashup extracting insights and value from stuff we can’t just see with our eyes focusing on one piece of content in a vacuum.

OpenID could help facilitate and centralize feed access policies and authorization (login/password). Privacy and security are paramount. If folks can get along like it seems to be the case around OpenID, that could become reality. Of course … I have been wrong many times before.

-arnaud

We all know that the number of OpenID enabled sites is still pretty limited. To support the growth of the community, we´ve been putting a lot of effort in gathering all available links in http://openiddirectory.com . Please check the available sites and submit any more you can find!

I may have missed something, but where did you see that Yahoo! is supporting OpenId? If you talk about idproxy.net, this is an initiative of a former employee of Yahoo! who just used the public bbAuth API… can you please clarify ?

I think it’s great that AOL is allowing AOL credentials to be used for OpenID. (I work at AOL, but not on that project.) Having 60 million+ accounts available to be used immediately is important in seeding such a project.

I’ve already tried a couple of startup Web sites that I wouldn’t otherwise have bothered to register for.

A challenge with the big providers (like AOL) is where the identity is tied to email and IM. If users start seeing spam in their mailbox or spim as a result of using OpenID, it’ll die really fast.

Of course, more savvy users will create a separate identity with a junk mailbox.

The new standard??