4 comments on “The Next OpenID Platform

  1. Do you know the Stork Project?
    (https://www.eid-stork.eu/) The aim of that project is to “establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID”
    For now it’s already working in “beta” for some governament sites (Taxes, Universities, …) but I think it’s going in the right direction

  2. When I used OpenID, I was using the Verisign PIP (personal identity portal). They offered multiple personas and I could choose to enter a different email address for each website (relaying party). PIP also supported two-factor authentication. I used the paypal football to login to my account. I eventually stopped using OpenID because of two issues.

    First, there were so few places where it was accepted. I’d really like to have one central place where all my account information is stored. With OpenID, I could use it on a few sites, but then I ended up still needing to manage a list of username and passwords for sites where OpenID was not accepted.

    Second, and I admit this is probably me putting my trust-no-one hat on, with OpenID, you still have the problem of a single point of failure. By using an OpenID provider, you are giving that provider the ability to impersonate you anywhere on the web. You REALLY need to trust your OpenID provider.

    One compromise of your OpenID provider and not only all your existing accounts are compromised, but you can be impersonated anywhere on the web. It doesn’t matter if the compromise is due to a hacker, someone working at the site that hosts your provider (your employer maybe), or some sort of court order, the result is the same: someone who is not you can access all your sites and gain a wealth of personal information about you.

    Eventually these two issues pushed me away from using OpenID. I switched to LastPass and use it to manage all my different logins. LastPass solves the above two issues for me. It’ll store the login information for any site I visit and generate secure passwords for new sites. It supports two-factor authentication. And the LastPass servers never see my individual account details because they are encrypted locally before being transmitted – meaning if anyone ever compromises LastPass’ servers, all they get is a bunch of encrypted data.

    Because of my second, trust-no-one, issue, I don’t think I’d ever go back to using OpenID in its current form for personal use. I just wouldn’t trust it to keep my bank, stock, retirement account, etc. logins separate and safe. I think it would work well in an enterprise environment, IF you only used it to login to corporate sites. But I think PKI is a much better fit there.

    I know I’m being too paranoid, and that reputable OpenID providers can be trusted. Heck, if we didn’t trust them we also couldn’t trust SSL/https. But if you’re proposing a next-gen OpenID, maybe some new ideas could be put into the protocol to make it impossible for the provider to go rogue.

  3. @esev I fully agree that there aren’t enough places accepting OpenID and thats one of the main limiting factors. I think more public sites are accepting Facebook Connect and Twitter logins (through oAuth) than are using OpenID. One thing Facebook did really well was take many of the OpenID user patterns but dumb them down for the typical user. OpenID was always too geeky of an interface for the normal consumer to use. As for managing passwords I find that 1Password does a great job. They use AES128 encryption which is good enough for most 😉 They actually have a good description of how its all put together here.
    http://help.agile.ws/1Password3/agile_keychain_design.html

    As you know OpenID is very dependent on the domain. I almost believe that any commercial OpenID service should have a “bring you own domain” option. This way you could always migrate away if you stopped trusting the provider. Again, this is way to complex for most users to comprehend. I started seeing some relying parties accept multiple OpenID providers for each account. Talk about a usability nightmare. “So you’re telling me that I should have two accounts registered with each site in case one doesn’t work or they get hacked. Ugh, I’ll go back to username and password.”

    I’m right with you on most of the issues you bring up. However, I think that PKI is too complex for most public users to understand and use, let alone relying parties to accept. I have the same problems with SAML being so point to point as well. If you get a chance check out Dan Kaminsky’s talks on DKI and Phreebird. Now that the DNS root is signed this might be an interesting way to roll out PKI to the rest of the world. It seems like the IETF has picked this up to investigate it lately (http://riosec.com/domain-key-infrastructure). I’ve been noodling that this might be a way to start authenticating non-person entities like computers, switches, etc to the network. It would also be much easier to deal with things like CRL lists and OCSPs since if you revoke a DKI the address just no longer resolves successfully.

  4. @Filipe I’ve definitely seen Stork and think its a great project going on. I think they are doing it right by targeting young academics who will “get used to” using OpenID and have it grow up with them but I don’t think it will help see explosive growth of the technology. Here in the states we have an inherent distrust for our government that stems all the way back from the colony days. We trust companies like Google and Facebook with our personal data more than we do our government. Recently the US has started discussing the National Strategy for Trusted Identities in Cyberspace aka NSTIC (http://www.nist.gov/nstic/). I don’t think we’re there with OpenID yet, but I hope it can grow into something more useful.

Leave a Reply

Your email address will not be published.