Linked by Kroc Camen on Fri 2nd Oct 2009 19:42 UTC
OSNews, Generic OSes

Our identities online are becoming ever more valuable to the companies that we entrust them to. What happens though when a company just ups and closes shop (Pownce, for example) and deletes your stuff? Sure, the individual files you'll have on your computer anyway, you won't have lost anything as far as bits and bytes are concerned--but what about friendships you've built up with people who you only know through the service. Your data should be portable so that you can take it to any service and not lose those relationships that you've built up in one walled-garden when it collapses, or you decide to move on. OpenID tries to solve this brand-centric problem by placing you at the centre of your data and allowing the sites you trust access through a single sign-on. OSnews is contemplating implementing OpenID and would like your feedback, but there are a few questions to consider--please read on for details

Order by: Score:
Comment by Alxe
by Alxe on Fri 2nd Oct 2009 20:01 UTC
Alxe
Member since:
2009-08-20

I use OpenID sometimes, not always, but yes, I do.

I find it quite good, as you can login anywhere with just one account (URL) and a password, but I find many flaws in the actual OpenID, such as, as you stated, the need to change pages to login.
Sure, it's not much for high-speed Internet users, but those viewers in netbooks, or mobile devices, with a may-be limited connection would suffer.

I'd find a good thing that a little pop-up spawns and asks you the URL and password, very minimal, like with simple Javascript.

But, also, not many people use this system, or even know it exists, so the progress would be a bit harder.

Reply Score: 1

RE: Comment by Alxe
by Kroc on Fri 2nd Oct 2009 20:05 UTC in reply to "Comment by Alxe"
Kroc Member since:
2005-11-10

They are working on improving the experience: http://openid.net/2009/09/25/more-powerful-and-easier-to-use/ you can now create a browser pop-up to do a login. Personally, I would have preferred an iframe as actual browser pop-ups is just asking for all sorts of support-issues with various browsers.

I’ve noticed that browsers can fill in saved passwords into invisible fields, so it’s even possible to create a single-click login button (if you’ve told the browser to remember your password before); OpenID would hinder this, yaddayaddayah.

Reply Score: 1

RE[2]: Comment by Alxe
by kragil on Fri 2nd Oct 2009 20:35 UTC in reply to "RE: Comment by Alxe"
kragil Member since:
2006-01-04

I want Google Wave comments!

That would be the best UX.

Reply Score: 2

RE[2]: Comment by Alxe
by Beta on Fri 2nd Oct 2009 21:03 UTC in reply to "RE: Comment by Alxe"
Beta Member since:
2005-07-06

Personally, I would have preferred an iframe as actual browser pop-ups is just asking for all sorts of support-issues with various browsers.

You don’t mind phishing then? (equal complaints for pop-ups)

Reply Score: 2

RE[3]: Comment by Alxe
by daveman692 on Fri 2nd Oct 2009 23:06 UTC in reply to "RE[2]: Comment by Alxe"
daveman692 Member since:
2009-10-02

The main difference between using a popup window and an iframe from a phishing perspective is that the popup displays the URL bar whereas the iframe does not include any of the browser's chrome.

Reply Score: 1

RE[4]: Comment by Alxe
by Beta on Sat 3rd Oct 2009 12:29 UTC in reply to "RE[3]: Comment by Alxe"
Beta Member since:
2005-07-06

The main difference between using a popup window and an iframe from a phishing perspective is that the popup displays the URL bar

Except where it doesn’t. ;)

Reply Score: 2

RE[2]: Comment by Alxe
by Alex Forster on Sat 3rd Oct 2009 21:22 UTC in reply to "RE: Comment by Alxe"
Alex Forster Member since:
2005-08-12

The point is to not let the site you're logging in to have your identity information. The parent JS security context has full access to the child iframe's JS security context, meaning the site asking for your OpenID credentials could then steal them from you.

Reply Score: 2

Response
by Meor on Fri 2nd Oct 2009 20:35 UTC
Meor
Member since:
2006-09-29

1. Do you already have an OpenID account?
Yes.
2. Do you make use of your OpenID account?
I use it whenever I can whenever a site offers it.
3. Would you welcome OSnews offering an OpenID login option?
Yes, it would be great.
4. Should OSnews be an OpenID provider?
I wouldn't make use of this, I use Verisign for my OpenID provider.
5. Is owning your own identity important to you?
I like the ability to log in to a site safely and automatically in the background instead of bringing up my password safe constantly.
6. What should OSnews let you do with your data?
It seems like anything you would normally be able to do with your account you should be able to do with OpenID.

I like OpenID because it's a great step toward secure token authentication. Verisign, and I'm sure others, offers security token login for your OpenID account.

Reply Score: 2

OpenID
by sbenitezb on Fri 2nd Oct 2009 20:39 UTC
sbenitezb
Member since:
2005-07-22

1. Yes
2. Not much.
3. I don't care. I already have an OSNews account.
4. No. There are already enough providers.
5. I don't use much an OpenID, and I don't think it's worth the implementations and the risk should it be compromised.
6. The web is public. If I choose to publish some blog, comment or something to the public, then the right thing would be that it remains as I published it. Tying what I said to a digital identity so it can be processed and a profile be made for sharing with marketing companies is not ok. As for the question, I think it's more interesting if it's rephrased as "What should OSNews *do* with your data?". And the answer is simple: do nothing.

And yes, it's a waste of time and effort. OpenID and single sign-on are all crap. Oh, how I miss the old internet with no flash, almost no ads, no webapps, pure and plain HTML 4 and CGIs. I'm getting old.

Reply Score: 6

Not just OpenID
by meneer on Fri 2nd Oct 2009 20:43 UTC
meneer
Member since:
2009-10-02

OpenID is a great way reduce the number of accounts on the internet and thus reduce the number of passwords.

OpenID is easy to use, requires no extra tools and a great many people already have an OpenID identity (even if they don't know).

But OpenID is not the only solution. I applaud the initiative to move towards Identity 2.0 facilities, you might as well think about implementing Information Card login too. A pity that noone even knows about it, pity that Microsoft failed in distributing the necessary tool (CardSpace in Vista), but it is an even more sophosticated facility.

So OpenID: yes, by all means, but enable the use of Information Card too.

Reply Score: 1

RE: Not just OpenID
by Alex Forster on Sat 3rd Oct 2009 21:28 UTC in reply to "Not just OpenID"
Alex Forster Member since:
2005-08-12

Information Cards are the single most revolutionary idea in online identity management that the world has seen, and it is not an understatement to say that nobody knows what it is. It's an open standard, but I know of no alternative browsers that support a non-Microsoft implementation. I ran Microsoft's for a while just hoping to, even once, be prompted for an InfoCard, but I never was and it's a WPF application so it uses a few hundred megabytes of RAM just sitting in the background, so I eventually uninstalled it.

http://en.wikipedia.org/wiki/Information_Card

"Patent promises have been issued by Microsoft, IBM, and others, ensuring that this Information Card technology is freely available to all."

Reply Score: 2

RE[2]: Not just OpenID
by meneer on Mon 5th Oct 2009 11:43 UTC in reply to "RE: Not just OpenID"
meneer Member since:
2009-10-02

I installed Bandit's Digitalme on Ubuntu, using firefox as browser with the bandit identity selector. And it seemed to work, I even demoed it to a small crowd of security experts.
Switching distribution is not the best way to keep all functionality, so I never got to install digitalme om my current Mandriva and Arch, but I am convinced of the power of infomation card.

Reply Score: 1

RE[2]: Not just OpenID
by auggiedoggie on Mon 5th Oct 2009 17:11 UTC in reply to "RE: Not just OpenID"
auggiedoggie Member since:
2009-10-05

It has a few problems, but the openinfocard Identity
Selector addon for Firefox mostly works. I've used it
on Linux and FreeBSD.
https://addons.mozilla.org/en-US/firefox/addon/10292

Anyone interested in an open source licensed implementation of Information Cards might take a look at the new release of DACS, which includes demonstrations.
http://dacs.dss.ca

Reply Score: 1

some answers
by Beta on Fri 2nd Oct 2009 21:00 UTC
Beta
Member since:
2005-07-06

1. Yes
2. Yes
3. Yes, don’t forget to allow for multiple OpenID accounts per user, nothing worse than having a single OpenID attached with that provider going bust
4. Possibly, it cannot hurt but it should come after you can ingest our external OpenIDs. id.osnews.com/kroc is rather long though, maybe osnews.com/~kroc ?
5. Incredibly
6. Everything? Purge it. Option to remove email address if we attach an OpenID. Option to hide all information from public. etc
(account renaming (once, maybe?) would be handy too, as long as you keep old accounts reserved and redirected to new)

Reply Score: 3

Comment by Anon9
by Anon9 on Fri 2nd Oct 2009 22:22 UTC
Anon9
Member since:
2008-06-30

1. Do you already have an OpenID account?
No, unless my Google account counts.
2. Do you make use of your OpenID account?
NA
3. Would you welcome OSnews offering an OpenID login option?
It's irrelevant to me since I autologin.
4. Should OSnews be an OpenID provider?
I don't care.
5. Is owning your own identity important to you?
Yes, but I'm not sure how OpenID helps with this.
6. What should OSnews let you do with your data?
What data?

I don't like the OpenID concept because I prefer to use a different password at each site. It seems insecure to me to only have one login which could be used everywhere. I use KeePass to manage my passwords and I probably have almost 100 passwords that I don't even know because they are long random strings. KeePass memorizes them for me.

I'm getting off-topic here, but one thing that really annoys me about a lot of websites is the restrictions they place on passwords. I should be able to use 200 character passwords with high-ASCII characters in them and spaces and all punctuation. I can do that with KeePass, but few sites permit me to. They make me only use alphanumeric 12-letter passwords way too often.

Edited 2009-10-02 22:23 UTC

Reply Score: 2

Yes Please
by sarahannalien on Fri 2nd Oct 2009 22:44 UTC
sarahannalien
Member since:
2009-05-07

3. Would you welcome OSnews offering an OpenID login option?

Yes please. And then please write an article telling us about issues you encountered while implementing it.

Reply Score: 4

YES
by vijayd81 on Fri 2nd Oct 2009 22:51 UTC
vijayd81
Member since:
2008-07-18

1. YES
2. YES. Wherever possible
3. YES. That would be awesome
4. Please, NO. There's already a lot of providers. I always feel like that lot of providers just spoil the whole idea. I already have both Google and Y! OpenIDs. I try to use just my Google ID. Multiple accounts mean multiple passwords and we will end up in the same situation as now.
5. YES.
6. You guys could provide options (in account preferences) for those data. This is one area where lot of people won't argree.

On top of these, I would like to link my current data with OpenID. Without this, I would end up with two accounts in OSnews which is not good.

Thanks.

Reply Score: 3

Comment by DOSguy
by DOSguy on Fri 2nd Oct 2009 23:03 UTC
DOSguy
Member since:
2009-07-27

1. Do you already have an OpenID account?
I don't.
2. Do you make use of your OpenID account?
n/a
3. Would you welcome OSnews offering an OpenID login option?
Sure. I'm sure a lot of visitors would like it.
4. Should OSnews be an OpenID provider?
need: no. welcome: yes
5. Is owning your own identity important to you?
Because of my paranoid nature I actually prefer having segregated accounts for each kind of activity and location on the Internet. Besides, Lastpass solves a lot of problems for me.
6. What should OSnews let you do with your data?
It's the internet; I don't really believe I own my comments. I 'donate' them to the internet, for everyone to see, even though they're generally quite useless. People who use their real name and such might think otherwise about their comments though.

Reply Score: 2

Yes! OpenID! Woo!
by sorpigal on Fri 2nd Oct 2009 23:41 UTC
sorpigal
Member since:
2005-11-02

I have several OpenID accounts, mostly I use my Google one.

I don't think OSNews should be an openid provider... if every site is a provider we're little better off than a world without OpenID.

I would only prefer a site-specific ID to an OpenID account if it gave me some kind of cred--like a low slashdot UID, it's meaningless but important.

As for the cumbersome nature of openID login... I wouldn't worry about that. It's only a little more irritating and a lot less of a bother than remembering Yet Another Username and Password.

Reply Score: 3

Comment by _df_
by _df_ on Sat 3rd Oct 2009 00:28 UTC
_df_
Member since:
2005-07-06

I have an openid account running off my domain, I use it wherever it is accepted.

Reply Score: 3

Yes get openID
by krackersk on Sat 3rd Oct 2009 02:00 UTC
krackersk
Member since:
2009-10-03

I just registered with osnews so I could say I would only register with osnews if you had openID

Reply Score: 3

RE: Yes get openID
by Kroc on Sat 3rd Oct 2009 05:14 UTC in reply to "Yes get openID"
Kroc Member since:
2005-11-10

Thanks for the effort, that helps ;)

Reply Score: 1

RE: Yes get openID
by Zifre on Sun 4th Oct 2009 00:20 UTC in reply to "Yes get openID"
Zifre Member since:
2009-10-04

Yes, I joined too just to say that I would have joined a long time ago if OpenID is supported. Now that I have registered though, I don't have any use for it. This whole poll is extremely biased, because the only people who can comment are the people who are okay with creating yet another internet account. So, please, support OpenID!

Reply Score: 1

Options can't hurt, but...
by jsight on Sat 3rd Oct 2009 03:16 UTC
jsight
Member since:
2005-07-06

Be sure that you are willing to deal with the pain. Many people will login with their Google OpenID account, and then realize that they have multiple google accounts (one for work, one for home, maybe multiple blogger sites). The complexity of allowing users to have multiple openids associated with their one OSNews account are easy to underestimate, imo.

Honestly, I hate openid because of issues like that. But its a reasonable option for the people who don't have such issues (mostly MyOpenID users).

Reply Score: 3

one website, one login
by tobyv on Sat 3rd Oct 2009 04:10 UTC
tobyv
Member since:
2008-08-25

If it ain't broke.. but at least leave the traditional login alone.

OpenID is a single point of failure. Lose that, lose everything.

I don't want future employers scanning my osnews comments, finding out about my irrational hatred of ADA.

Reply Score: 3

RE: one website, one login
by aesiamun on Tue 6th Oct 2009 13:40 UTC in reply to "one website, one login"
aesiamun Member since:
2005-06-29

Anti Dentite! ;)

Reply Score: 2

Comment by Luminair
by Luminair on Sat 3rd Oct 2009 05:23 UTC
Luminair
Member since:
2007-03-30

I have openid accounts with multiple different sites I dont remember and I dont know what they do

Reply Score: 2

Comment by ddc_
by ddc_ on Sat 3rd Oct 2009 06:29 UTC
ddc_
Member since:
2006-12-05

1. Do you already have an OpenID account?

Yes.

2. Do you make use of your OpenID account?

No.

3. Would you welcome OSnews offering an OpenID login option?

Yes. Those who have it may use it...

4. Should OSnews be an OpenID provider?

No. I don't see any usefull in OpenID, while it will inflict some server2server traffic and some security risks, so I would prefer no OpenID here, as far as there's so many providers...

5. Is owning your own identity important to you?

Never needed it.

6. What should OSnews let you do with your data?

Nothing. OpenID owner should tune up everything at OpenID provider.

Reply Score: 1

Jonix
Member since:
2007-02-14

I prefer using OpenID on the sites that uses that for log-in, though there isn't that many sites that uses it for now, I hope the snowball is starting to roll faster and faster.

There has been much discussion about the relatively (in)security about using OpenID, if your OpenID has been compromised (with a single pass-phrase), all the the sites you attached your OpenID to is wide open for the cracker.

However osnews.com is not a mission critical site, with bank account info, etc. There would be no need for great security concern, but there is a beautiful solution to above mentioned insecurity.

This security issue is solved beautifully with the cheap Open Source/hardware Yubikey USB dongle (www.yubico.com). With the Yubikey every press of the button generates a unique one-time-token password (64 chars long) which is authenticated with servers back at Yubico.

OpenID combined with Yubikey gives a much higher degree of security, than ordinary logins on several levels.
1) One time token pass-phrase, instead of similar/same password for all different website logins.
2) A standardized (open source) implementation, instead of a yet a new "homegrown" login system with potential security vulnerabilities such as SQL injection, site cross-scripting, and so on and so forth.

Implementing OpenID log-ins with Yubikey is no different than without, the OpenID login implementor does not need even know how the person authenticates

I am proposing this, since I am lazy and just want to use my Yubikey USB device to log-in to as many sites as possible.

In my humble opinion there is no real need to act as a OpenID provider as people who uses OpenID got it from somewhere else, perhaps a site that is exclusively a OpenID provider. But if you choose to to also be a OpenID provider (not a bad idea) consider also implement Yubikey support for logins



So pretty please with sugar on top, please incorporate OpenID logins.

Reply Score: 1

+1
by vivainio on Sat 3rd Oct 2009 09:42 UTC
vivainio
Member since:
2008-12-26

Do incorporate openid login.

osnews is not "mission critical" site (for end users anyway), so it often ends up with the crap password you tend to use on bulk sites on the internet. OpenID would thus increase security as you can easily use your "high value" password for that.

I don't see the point in making osnews an openid provider, as osnews is a minor player with no financial liabilities. The crew could basically go (more?) insane and start abusing the openid accounts for fun and profit. Let's leave OpenID hosting for big dogs (or pseudo-big ones - my OID is at Launchpad).

Reply Score: 2

OpenID
by 3rdalbum on Sat 3rd Oct 2009 10:49 UTC
3rdalbum
Member since:
2008-05-26

I can never remember my OSnews login and password, so using my OpenID (Myspace or Facebook, I didn't know Facebook was one too?) would be good. I currently just use Opera Link to remember my password for all my machines.

I'm not sure OSnews should be an OpenID provider, but it should accept OpenID as a login.

Reply Score: 2

Yes
by zerohalo on Sat 3rd Oct 2009 15:03 UTC
zerohalo
Member since:
2005-07-26

1., 2., 3. : Yes
4.: No point. Those likely to use openid with OSNews already have an account.
5.: Single signon is ideal for non-critical data/sites like this one.
6: Nothing.

Reply Score: 1

Improvement
by Lennie on Sat 3rd Oct 2009 20:08 UTC
Lennie
Member since:
2007-09-22

For those that know and want to use OpenID I think it would be in improvement. The more sites use it, the more useful it becomes and hopefully it also improves how easy it's to implement.

I've actually bought a domain for me to implement it with, maybe some family and friends also might want to use it.

I looked at how easy it is to implement it using an existing library and I can say, it takes longer then a day and I've not had any time after that.

Reply Score: 2

Comment by hashnet
by hashnet on Sun 4th Oct 2009 01:51 UTC
hashnet
Member since:
2005-11-15

1. Do you already have an OpenID account?
Yes. As noted, most of us have one.
2. Do you make use of your OpenID account?
So far, rarely.
3. Would you welcome OSnews offering an OpenID login option?
In spite of the noted busy login box and the clumsiness of switching websites, yes.
4. Should OSnews be an OpenID provider?
I assume it'd be as good as any, so why preclude it?
5. Is owning your own identity important to you?
I prefer to use separate identities for use into different realms of my life. Tech/sport/perso/business etc.
"Fly by night" has a nasty ring to it. It's simply a matter of privacy.
Why the question? I can't see how this would impact OSnews' handling of OpenID.
6. What should OSnews let you do with your data?
Modify, delete. Maybe record the login history for the id owner's eyes only, as a service.
Let the owner opt in for use of demographics by OSnews itself, if desired.

Reply Score: 1

license_2_blather
Member since:
2006-02-05

1. Do you already have an OpenID account?

No. I probably would not get one just for OSNews, or for any one or two other web sites I frequent.

2. Do you make use of your OpenID account?

No (see above)

3. Would you welcome OSnews offering an OpenID login option?

Sure. I presume I wouldn't be required to use it.

4. Should OSnews be an OpenID provider?

Makes no difference to me.

5. Is owning your own identity important to you?

I think it's too late for that ;)

6. What should OSnews let you do with your data?

I don't claim it. I try not to put anything I don't want to lose, or potentially be broadcast to the world, on any public web site.
=========================================

I'm not familiar with OpenID. I see pluses (single sign-on) and minuses (security; one site's breach turns into potential takeover of your "identity"). In any case, if it is much trouble to use, I won't use it, and if it is much trouble to support, I wouldn't blame the OSNews staff for giving it a pass.

Reply Score: 1

vivainio Member since:
2008-12-26

I see pluses (single sign-on) and minuses (security; one site's breach turns into potential takeover of your "identity").


No, it does not - unless the site taken over is the openid provider.

OpenID has the advantage that only one site needs to have high security. This won't metter if you use different password on all sites, but then you are bigger man than most...

Reply Score: 2

RPX instead of OpenID
by Givas on Sun 4th Oct 2009 16:29 UTC
Givas
Member since:
2005-08-19

Instead of just OpenID you could consider using RPX combines many different login systems and is very easy to integrate into the website:
https://rpxnow.com/

Reply Score: 1

RE: RPX instead of OpenID
by Kroc on Mon 5th Oct 2009 06:31 UTC in reply to "RPX instead of OpenID"
Kroc Member since:
2005-11-10

I absolutely do not want to promote brand-based logins. These are a detriment to the web, and only helps over-complicate the login process by adding more and more buttons as brands want to get in on the space.

When we do OpenID, it will be a single text box and you will be expected to know your OpenID URI regardless of who it comes from. None of these companies will pay us to push their brands for them, so I ain’t doing it.

Reply Score: 1

yes
by challman on Mon 5th Oct 2009 01:48 UTC
challman
Member since:
2009-10-05

1. Do you already have an OpenID account?
yes

2. Do you make use of your OpenID account?
when i can

3. Would you welcome OSnews offering an OpenID login sure

4. Should OSnews be an OpenID provider?
that's your call

5. Is owning your own identity important to you?
sure is.

6. What should OSnews let you do with your data?
it would be nice to be able to export the information and relationships say in xml

Reply Score: 1

Comment by internetionals
by internetionals on Mon 5th Oct 2009 12:06 UTC
internetionals
Member since:
2008-08-02

1 Yes
2 Yes
3 Yes (choice is great :-))
4 Wouldn't hurt, but no show stopper
5 Depends on the application
6 Just another account, just include the "forget everything about me" option

Reply Score: 1

OpenID
by Andre on Mon 5th Oct 2009 12:06 UTC
Andre
Member since:
2005-07-06

1. Do you already have an OpenID account?
I used to have a videntidy OpenID, but that site went down long ago. Nowadays I use yahoo
2. Do you make use of your OpenID account?
sometimes
3. Would you welcome OSnews offering an OpenID login option?
yeah
4. Should OSnews be an OpenID provider?
yeah, i think OSnews will stay online, so I doubt I would run the risk I had with videntity.
5. Is owning your own identity important to you?
yeah
6. What should OSnews let you do with your data?
nothing unless i want you want to

Reply Score: 1

Yes, with caveats
by lproven on Mon 5th Oct 2009 14:10 UTC
lproven
Member since:
2006-08-23

Yes, do it.

Don't be a provider - there are many already.

*But* I would assert that it is essential that you offer the ability to associate an existing account with an OpenID.

This core function is too rarely available & leads to me having multiple accounts available on several sites, such as Blogger.

Reply Score: 1

Comment by nahamu
by nahamu on Tue 6th Oct 2009 12:30 UTC
nahamu
Member since:
2009-08-10

1. Do you already have an OpenID account?
Yes
2. Do you make use of your OpenID account?
Yes
3. Would you welcome OSnews offering an OpenID login option?
Very much so. While I've been following OSnews for years, I created my account very recently and was very disappointed that you don't already support OpenID.
4. Should OSnews be an OpenID provider?
No particular need.
5. Is owning your own identity important to you?
That would be nice too. I mostly just hate the password sprawl.
6. What should OSnews let you do with your data?
No opinion.

Reply Score: 1