OpenID

From Wikipedia, the free encyclopedia

Jump to: navigation, search
The OpenID logo
The OpenID logo

OpenID is a shared identity service, which allows Internet users to log on to many different web sites using a single digital identity, eliminating the need for a different user name and password for each site. OpenID is a decentralized, free and open standard that lets users control the amount of personal information they provide.

Using OpenID-enabled sites, web users do not need to remember traditional items of identity such as username and password. Instead, they only need to be registered with any OpenID "identity provider" (IdP). Since OpenID is decentralized, any website can use OpenID as a way for users to sign in; OpenID does not require a centralized authority to confirm a user's digital identity.

OpenID is increasingly gaining adoption among large sites, with organizations like AOL, BBC, Google, IBM, Microsoft, Orange, VeriSign, Yandex and Yahoo! acting as providers.[1][2][3][4][5] In addition, integrated OpenID support has been made a high priority in Firefox 3[6] and OpenID can be used with Windows CardSpace.

Contents

[edit] History

[edit] 2005

The original OpenID authentication protocol was developed in May 2005[7][8] by Brad Fitzpatrick, creator of popular community website LiveJournal, while working at Six Apart.[9] OpenID support was soon implemented on LiveJournal and fellow LiveJournal engine community DeadJournal for blog post comments, and quickly gained attention in the digital identity community. [10][11] Web developer JanRain was an early supporter of OpenID, providing OpenID software libraries and expanding its business around OpenID-based services.

In late June, discussions started between OpenID developers and developers from enterprise software company NetMesh, leading to collaboration on interoperability between OpenID and NetMesh's similar Light-Weight Identity (LID) protocol. The direct result of the collaboration was the Yadis discovery protocol, which was announced on October 24, 2005.[12] After a discussion at the 2005 Internet Identity Workshop a few days later, XRI/i-names developers joined the Yadis project, contributing their Extensible Resource Descriptor Sequence (XRDS) format for utilization in the protocol.[13]

In December, developers at Sxip Identity began discussions with the OpenID/Yadis community[14] after announcing a shift in the development of version 2.0 of its Simple Extensible Identity Protocol (SXIP) to URL-based identities like in LID and OpenID.[15]

[edit] 2006

In March 2006, JanRain developed a Simple Registration Extension for OpenID for primitive profile-exchange,[16] and in April submitted a proposal to formalize extensions to OpenID. The same month, work had also begun on incorporating full XRI support into OpenID.[17]

Around early May, key OpenID developer David Recordon left Six Apart, joining VeriSign to focus on digital identity and guidance for the OpenID spec.[11][18] By early June, the major differences between SXIP 2.0 and OpenID were resolved with the agreement to support multiple personas by submission of an identity provider URL rather a full identity URL. With this, as well as the addition of extensions and XRI support underway, OpenID was evolving into a full-fledged digital identity framework, with Recordon proclaiming, "We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication, and a messaging services layer that sits atop and this entire thing has sort of been dubbed 'OpenID 2.0'." In late July, Sxip began to merge its Digital Idenity Exchange (DIX) protocol into OpenID, submitting initial drafts of the OpenID Attribute Exchange extension in August.

[edit] 2007

On January 31, 2007, computer security company Symantec announced support for OpenID in its Identity Initiative products and services.[19] A week later, on February 6 Microsoft made a joint announcement with JanRain, Sxip, and VeriSign to collaborate on interoperability between OpenID and Microsoft's Windows CardSpace digital identity platform, with particular focus on developing a phishing-resistant authentication solution for OpenID. As part of the collaboration, leading computer software company Microsoft pledged to support OpenID in its future identity server products, and JanRain, Sxip, and VeriSign pledged to add support for Microsoft's Information Card profile to their future identity solutions.[20] In mid-February, AOL announced that an experimental OpenID provider service was functional for all AOL and AOL Instant Messenger (AIM) accounts.[21]

In May, information technology company Sun Microsystems began working with the OpenID community, announcing an OpenID program,[22] as well as entering a Non-Assertion Covenant with the OpenID community, pledging not to assert any of its patents against implementations of OpenID[23] In June, the OpenID Foundation was officially formed in Oregon[24] and OpenID Europe Foundation was officially incorporated in June 2007 in Belgium.[25]By early December, Non-Assertion Agreements were collected by the major contributors to the protocol, and the final OpenID Authentication 2.0 and OpenID Attribute Exchange 1.0 specfications were ratified on December 5.[26]

[edit] 2008

In mid-January 2008, Yahoo! announced initial OpenID 2.0 support, both as a provider and as a relying party, releasing the service by the end of the month.[27] In early February, Google, IBM, Microsoft, VeriSign, and Yahoo! joined the OpenID Foundation as corporate board members.[28]

[edit] Using OpenID

A basic glossary of the terms used with OpenID:

End user 
The person who wants to assert his or her identity to a site.
Identifier 
The URL or XRI chosen by the End User as their OpenID identifier.
Identity provider or OpenID provider
A service provider offering the service of registering OpenID URLs or XRIs and providing OpenID authentication (and possibly other identity services). Note that the OpenID specifications use the term "OpenID provider" or "OP".
See also: List of OpenID providers
Relying party 
The site that wants to verify the end user's identifier. Sometimes also called a "service provider".
Server or server-agent 
The server that verifies the end user's identifier. This may be the end user's own server (such as their blog), or a server operated by an identity provider.
User-agent 
The program (such as a browser) that the end user is using to access an identity provider or a relying party.
Consumer 
An obsolete term for the relying party.

[edit] Logging in

A relying party web site (e.g. example.website.com) displays an OpenID login form somewhere on the page. Unlike a typical login form with fields for the user name and password, the OpenID login form has only one field - for the OpenID identifier, typically along with a small OpenID logo: Image:Openid small logo.png‎. This form is connected to an implementation of an OpenID client library.

A user typically will have previously registered an OpenID identifier (e.g. alice.openid.example.org) with an OpenID identity provider (e.g. openid.example.org). The user visits the relying party web site and types her OpenID identifier in the OpenID login form.

The relying party web site typically transforms the OpenID identifier into a canonical URL form (e.g. http://alice.openid.example.org/). With OpenID 1.0, the relying party then requests the web page located at that URL and reads an HTML link tag to discover the identity provider service URL (e.g. http://openid.example.org/openid-auth.php). The relying party also discovers whether to use a delegated identity (see below). With OpenID 2.0, the client discovers the identity provider service URL by requesting the XRDS document (also called the Yadis document) with the content type application/xrds+xml that may be available at the target URL and is always available for a target XRI.

There are two modes in which the relying party can communicate with the identity provider:

  • checkid_immediate, in which the relying party requests that the provider not interact with the user. All communication is relayed through the user's browser without explicitly notifying the user;
  • checkid_setup, in which the user communicates with the provider server directly using the same web browser used to access the relying party site.

The second option is more popular on the Web; also, checkid_immediate can fallback to checkid_setup if the operation cannot be automated.

First, the relying party and the identity provider (optionally) establish a shared secret - referenced by an associate handle, which the relying party then stores. If using checkid_setup, the relying party redirects the user's web browser to the identity provider so the user can authenticate with the provider.

The method of authentication may vary, but typically, an OpenID identity provider prompts the user for a password or an InfoCard, then asks whether the user trusts the relying party web site to receive her credentials and identity details.

If the user declines the identity provider's request to trust the relying party web site, the browser is redirected to the relying party with a message indicating that authentication was rejected. The site in turn refuses to authenticate the user.

If the user accepts the identity provider's request to trust the relying party web site, the browser is redirected to the designated return page on the relying party web site along with the user's credentials. That relying party must then confirm that the credentials really came from the identity provider. If they had previously established a shared secret (see above), the relying party can validate the shared secret received with the credentials against the one previously stored. Such a relying party is called stateful because it stores the shared secret between sessions. In comparison, a stateless or dumb relying party must make one more background request (check_authentication) to ensure that the data indeed came from the identity provider.

After the OpenID identifier has been verified, OpenID authentication is considered successful and the user is considered logged in to the relying party web site with the given identifier (e.g. alice.openid.example.org). The web site typically then stores the OpenID identifier in the user's session.

OpenID does not provide its own form of authentication, but if an identity provider uses strong authentication, OpenID can be used for secure transactions such as banking and e-commerce.

[edit] Identifiers

Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.

There are two ways to obtain an OpenID-enabled URL that can be used to login on all OpenID-enabled websites.

  1. To use an existing URL under one's own control (such as one's blog or home page), and if one knows how to edit HTML, one can insert the appropriate OpenID tags in the HTML code following instructions at the OpenID specification.
  2. The second option is to register an OpenID identifier with an identity provider. They offer the ability to register a URL (typically a third-level domain) that will automatically be configured with OpenID authentication service.

XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-names and i-numbers—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.

[edit] Adoption

As of July 2007, there are over 120 million OpenIDs on the Internet (see below) and approximately 4,500 sites have integrated OpenID consumer support.[29]

[edit] OpenID Foundation

The OpenID Foundation is a 501(c)3 non-profit incorporated in the United States. The OpenID Foundation was formed to help manage copyright, trademarks, marketing efforts and other activities related to the success of the OpenID community. The singular goal of the OpenID Foundation is to protect OpenID.

[edit] People

The OpenID Foundation's board of directors has seven members:[24]

Bill Washburn, Ph.D., of XDI.ORG, is the foundation's executive director.

A European counterpart, the OpenID Europe Foundation headquartered in Paris, was founded in June 2007. It is a non-profit organization to help promote and deploy the OpenID software framework in Europe. OpenID Europe is independent of the OpenID Foundation.[32] Snorri Giorgetti of OpenID Europe also serves as the OpenID Foundation's representative in Europe.

[edit] Legal issues

In the United States, as of March 27, 2007 the OpenID trademark is registered to NetMesh under its placeholder name[33] R-Objects, Inc.[34] Netmesh CEO Johannes Ersnt, a member of the OpenID Foundation board, has stated that he intends to assign the trademark rights to the OpenID Foundation in the future. In Europe, as of August 31, 2007, the OpenID trademark is registered to the OpenID Europe Foundation.[35]

The OpenID logo was designed by Randy "ydnar" Reddig, who in 2005 had expressed plans to transfer the rights to an OpenID organization.[36] The official openid.net domain is registered to Six Apart, which was granted by the previous owner David I. Lehn,[37], and the rights of which were officially transferred on June 16, 2005.[citation needed]

A patent-pending application with Denmark priority right from March 9, 2001[38] purportedly[who?] covers the central aspects of OpenID.

The official site currently states:

Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.

Both Sun Microsystems and VeriSign have issued patent non-assertion covenants covering OpenID 1.1 specifications. These covenants [23][39] state that neither company will assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.

[edit] Criticism

Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.[40][41] [42]

For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.

In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party. However this then relies on the end-user knowing the policy of the identity provider, and regardless this issue remains a significant additional vector for man-in-the-middle phishing attacks.

Other criticisms are that the addition of a third-party (the identity provider) into the authentication process significantly adds complexity and therefore possibility of vulnerability into the system. Also this system shifts responsibility for "quality" of authentication to the end-user (in their choice of identity provider), a shift that the end-user and the relying party (for example their bank) need to understand.

[edit] See also

[edit] Notes

  1. ^ How do I get an OpenID?. OpenID Foundation. Retrieved on 2008-03-20.
  2. ^ Riley, Duncan (2008-01-18). Google Offers OpenID Logins Via Blogger. TechCrunch. Retrieved on 2008-03-20.
  3. ^ Brian Krebs (2007-02-06). Microsoft to Support OpenID. Retrieved on 2008-03-01.
  4. ^ Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web (008-02-07).
  5. ^ Bergman, Artur. "OpenID Foundation - Google, IBM, Microsoft, VeriSign and Yahoo", O'Reilly Media, 2008-02-07. Retrieved on 2008-03-19. 
  6. ^ Current Firefox 3 Requirements on the Mozilla Wiki
  7. ^ Fitzpatrick, Brad (2005-05-16). Distributed Identity: Yadis. LiveJournal. Retrieved on 2008-03-20.
  8. ^ Fitzpatrick, Brad (2005-05-17). OpenID. LiveJournal. Retrieved on 2008-03-19.
  9. ^ Waters, John K. "OpenID Updates Identity Spec", Redmond Developer News, 2007-12-01. Retrieved on 2008-03-20. 
  10. ^ OpenID: an actually distributed identity system. Internet Archive (2005-09-24). Retrieved on 2008-03-20.
  11. ^ a b Fitzpatrick, Brad (2006-05-30). brad's life - OpenID and SixApart. LiveJournal. Retrieved on 2008-03-20.
  12. ^ Recordon, David (2005-12-24). Announcing YADIS...again. Danga Interactive. Retrieved on 2008-03-20.
  13. ^ Reed, Dummond. "Implementing YADIS with no new software", Danga Interactive, 2005-12-31. Retrieved on 2008-03-20. 
  14. ^ Hardt, Dick (2005-12-18). Sxip concerns with YADIS. Danga Interactive. Retrieved on 2008-03-20.
  15. ^ Hardt, Dick (2005-12-10). SXIP 2.0 Teaser. Identity 2.0. Retrieved on 2008-03-20.
  16. ^ Hoyt, Josh (2006-03-15). OpenID + Simple Registration Information Exchange. Danga Interactive. Retrieved on 2008-03-20.
  17. ^ Grey, Victor (2006-04-02). Proposal for an XRI (i-name) profile for OpenID. Danga Interactive. Retrieved on 2008-03-20.
  18. ^ Recordon, David (2006-04-29). Movin' On..... LiveJournal. Retrieved on 2008-03-20.
  19. ^ Symantec Unveils Security 2.0 Identity Initiative at DEMO 07 Conference. Symantec (2007-01-31). Retrieved on 2008-03-20.
  20. ^ Graves, Michael (2007-02-06). VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace. VeriSign. Retrieved on 2008-03-20.
  21. ^ Panzer, John (2007-02-16). AOL and 63 Million OpenIDs. AOL Developer Network. Retrieved on 2008-03-20.
  22. ^ Sun Microsystems Announces OpenID Program. PR Newswire (2007-05-07). Retrieved on 2008-03-20.
  23. ^ a b Sun OpenID: Non-Assertion Covenant. Sun Microsystems. Retrieved on 2008-03-20.
  24. ^ a b OpenID Board of Directors (2007-06-01). OpenID Foundation. OpenID Foundation. Retrieved on 2008-03-20.
  25. ^ http://www.openideurope.eu/foundation/bylaws/ Bylaws of OpenID Europe
  26. ^ OpenID 2.0…Final(ly)!. OpenID Foundation (2007-12-05). Retrieved on 2008-03-20.
  27. ^ Yahoo! Announces Support for OpenID; Users Able to Access Multiple Internet Sites with Their Yahoo! ID. Yahoo! (2008-01-17). Retrieved on 2008-03-20.
  28. ^ "Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web", OpenID Foundation, Marketwire, 2008-02-07. Retrieved on 2008-03-20. 
  29. ^ OSCON - The State of OpenID talk by Scott Kveton
  30. ^ http://wikitravel.org/en/Special:OpenIDLogin
  31. ^ Bylund, Anders (17 January 2008). Yahoo! No More Password Profusion!. Retrieved on 2008-02-14.
  32. ^ OpenID Europe Foundation.
  33. ^ NetMesh: Company / Management. NetMesh. Retrieved on 2008-03-20.
  34. ^ Latest Status Info. United States Patent and Trademark Office (2006-03-27). Retrieved on 2008-03-20.
  35. ^ OpenID Europe Trademark & Logo Policy. OpenID Europe Foundation. Retrieved on 2008-03-20.
  36. ^ Reddig, Randy (2005-06-29). OpenID Logo. Danga Interactive. Retrieved on 2008-03-20.
  37. ^ Fitzpatrick, Brad (2005-05-17). Yadis.... now OpenID. Danga Interactive. Retrieved on 2008-03-20.
  38. ^ WO patent application 02073926, "System and a method for managing digital identities", published 2002-09-19, assigned to Ascio Technologies 
  39. ^ "VeriSign's OpenID Non-Assertion Patent Covenant", VeriSign. Retrieved on 2008-03-20. 
  40. ^ Crowley, Paul (2005-06-01). Phishing attacks on OpenID. Danga Interactive. Retrieved on 2008-03-20.
  41. ^ Anderson, Tim. "OpenID still open to abuse", IT Week, 2007-03-05. Retrieved on 2007-03-13. 
  42. ^ Slot, Marco. Beginner's guide to OpenID phishing. Retrieved on 2007-07-31.

[edit] References

[edit] External links

Personal tools