Simon Willison's Weblog: verisign

The point of "Open" in OpenID

2008-06-24T08:12:23+00:00

TechCrunch report that Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign. "Whatever happened to the Open in OpenID?", asks TechCrunch's Jason Kincaid.

Microsoft's decision is a beautiful example of the Open in action, and I fully support it.

You have to remember that behind the excitement and marketing OpenID is a protocol, just like SMTP or HTTP. All OpenID actually provides is a mechanism for asserting ownership over a URL and then "proving" that assertion. We can build a pyramid of interesting things on top of this, but that assertion is really all OpenID gives us (well, that and a globally unique identifier). In internet theory terms, it's a dumb network: the protocol just concentrates on passing assertions around; it's up to the endpoints to set policies and invent interesting applications.

Open means that providers and consumers are free to use the protocol in whatever way they wish. If they want to only accept OpenID from a trusted subset of providers, they can go ahead. If they only want to pass OpenID details around behind the corporate firewall (great for gluing together an SSO network from open-source components) they can knock themselves out. Just like SMTP or HTTP, the protocol does not imply any rules about where or how it should be used.

HealthVault have clearly made this decision due to security concerns - not over the OpenID protocol itself, but the providers that their users might choose to trust. By accepting OpenID on your site you are outsourcing the security of your users to an unknown third party, and you can't guarantee that your users picked a good home for their OpenID. If you're a bank or a healthcare provider that's not a risk you want to take; whitelisting providers that you have audited for security means you don't have to rule out OpenID entirely.

I have a very simple rule of thumb for whether or not a site should consider whitelisting OpenID providers: does the site offer a "forgotten password" feature that e-mails the user a login token? If it does, then the owners have already made the decision to outsource the security of their users to whoever they picked as an e-mail provider. If they don't (banks are a good example here) they should continue that policy decision and consider using an OpenID provider whitelist.

I've been using the example of banks potentially accepting OpenID only from security audited providers in my talks on OpenID for at least the past year. Now I can finally provide a real-world example.

Tags: dumbnetworks, healthvault, microsoft, open, openid, security, techcrunch, trustbearer, verisign

A Change of Pace

2007-08-17T23:46:33+00:00

A Change of Pace

David Recordon is heading back to Six Apart as Open Platforms Tech Lead, where it looks like he might get to work on social network portability.

Tags: david-recordon, openid, sixapart, verisign

VeriSign's SeatBelt OpenID plugin for Firefox

2007-08-17T17:37:42+00:00

VeriSign's SeatBelt OpenID plugin for Firefox

The first good example of browser integration for OpenID. It catches phishing attempts by watching out for rogue OpenID consumers that don’t redirect to the right place.

Tags: firefox, openid, plugins, seatbelt, security, verisign

VeriSign OpenID 1.1 Non-Assertion Covenant

2007-06-20T22:38:48+00:00

VeriSign OpenID 1.1 Non-Assertion Covenant

VeriSign join Sun Microsystems in providing patent protection for OpenID.

Via WOpenID IPR: Past and Future

Tags: openid, patents, sun, verisign

How to turn your blog in to an OpenID

2006-12-19T11:37:12+00:00

Wouldn't it be great if you could use the same account to log in to multiple sites and applications, without having to trust them all with your password? Wouldn't it be even better if you could do this without having to hand ownership of your online identity over to some monolithic third party? (I'm looking at you, ~~.NET Passport~~ ~~Microsoft Passport~~ Windows Live ID.)

The good news is, you can! OpenID is a decentralised authentication system invented by LiveJournal but now being developed as an open standard under the careful mentorship of the Apache Software Foundation. Anyone can create an OpenID, and the number of sites which let you log in with one is growing by the day.

An OpenID is simply a URL. My OpenID is simonwillison.net, the address of my weblog. I can use it to sign in to any site that supports OpenID, and because I'm the only person with control over my weblog's homepage I'm the only person who can use that identity.

If you want your own OpenID (and you should), here's how to get one.

1. Sign up with an OpenID provider

OpenID is decentralised, which means that anyone can set themselves up as an OpenID provider. You can run your own server if you want to (phpMyID is one way of doing that) but there are a number of free services that will host an ID for you. Those include:

LiveJournal. They invented it, and if you have a LiveJournal account you already have an OpenID - it's the URL of your journal. I'm swillison.livejournal.com.
Vox - Six Apart's sexy new social network thang. I'm simon.vox.com.
VeriSign Labs, who have done some excellent work around OpenID and run a provider as part of their Personal Identity Provider service. I'm swillison.pip.verisignlabs.com.
MyOpenID, run by JanRain, authors of the most widely used OpenID libraries. I'm swillison.myopenid.com.

If you already have an account with Vox or LiveJournal you can skip straight to step 2. If not, pick the provider that you trust the most and create an account there. This isn't a permanent decision: you can move provider at any time without losing your account, provided you follow step 2.

2. Point your own site at your new OpenID

Here comes the magic. Having picked your provider and created an OpenID there, edit the HTML of your weblog's homepage (or indeed whichever URL you want to use as your personal OpenID) and add the following to the document <head>:

<link rel="openid.server"
  href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate"
  href="http://swillison.livejournal.com/">

Replace the openid.delegate href with the OpenID at your provider, and the openid.server href with that provider's OpenID server. You can find the server by viewing source on your OpenID page there, or by using this table:

OpenID Provider	Server URL
LiveJournal	http://www.livejournal.com/openid/server.bml
Vox	http://www.vox.com/services/openid/server
VeriSign	https://pip.verisignlabs.com/server
MyOpenID	http://www.myopenid.com/server

This delegation mechanism is key to OpenID's status as a truly decentralised authentication system. If you decide you no longer trust your identity provider you can switch to another one by just editing a couple of lines of HTML - your OpenID will stay the same.

3. Log in to something!

Now that you have an OpenID, you can use it to log in to all sorts of sites. Find their OpenID login form and enter your new OpenID - that's the URL of your weblog. You will be redirected to a page on your identity provider which will either ask you to log in or ask you to authorize the site to use your identity. Click "Yes" and you'll be sent back to the original site and magically logged in - no password required.

I've been collecting a list of sites that allow you to log in using OpenID under the openidconsumer tag; sites you may have heard of include Ma.gnolia, Zooomr and Wikitravel.

OpenID on simonwillison.net

This whole entry is a round-about way of announcing the addition of OpenID support to my weblog engine. You can sign in here; once signed in you'll be able to leave comments with a pretty OpenID logo (proving that they came from you) and track recent comments that you've posted on the Your Comments page. I'm working on adding other functionality for logged-in users such as the ability to edit your own comments or for trusted users to flag comment spam.

This kind of light-weight account mechanism is one of the things that makes OpenID so interesting. I doubt I could convince anyone to create a new account just to access a few features on my weblog, but if they already have an OpenID the overhead of logging in is small enough that I'm hopeful at least a few people will give it a go.

As always, report any bugs in the comments.

Update: I've created a screencast showing how to use OpenID.

Tags: livejournal, myopenid, openid, verisign, vox, weblog