Comments on: Warming up to OpenID

By: Nic Ferrier

Nic Ferrier — Sat, 03 Mar 2007 12:45:24 +0000

An alternative to Evan’s really cool certifi.ca site it http://prooveme.com. We give you a free certificate as part of your sign up process (though we’re planning to offer support for existing certs as well). In other respects it works the same as Evan’s service. We believe though, that users creating certificates in order to delegate them to other services is a big win feature. Doing that would enable you to, say, delegate authority to flikr to upload photos to your blog.

By: Evan Prodromou

Evan Prodromou — Fri, 02 Mar 2007 16:08:05 +0000

@Patrick: I'm a big fan of public key encryption and the identity control that it brings. About the closest thing to an SSH key for HTTPS is client-side SSL certificates. That's what certifi.ca uses. Most Web sites don't support them because most Web users don't know they exist, and most Web users don't know they exist because most Web sites don't support them.

There are links on the certifi.ca home page to sites where you can get gratis valid SSL certificates in a few minutes (email confirmation required). It's probably exactly what you're looking for. Please give it a try and let me know what you think.

By: Patrick

Patrick — Thu, 01 Mar 2007 17:21:55 +0000

Evan:

Yes, you're right that phishing is only a problem when password authentication is used. However, I think that it will be a while before most people will be using an alternative technique. One thing I was thinking about recently was an OpenID provider that could use public key authentication using my ssh key. That would be cool. Log in once (by typing the url in directly, or something safe), upload your public key, and then use ssh-agent authentication from then on. Then you could really have a single login to your machine, and it would work for everything.

By: Evan Prodromou

Evan Prodromou — Thu, 01 Mar 2007 14:05:16 +0000

I think that the phishing problem is mostly a red pherring (tee-hee). certifi.ca, for example, is an OpenID provider that only uses SSL certs for authentication. There is never a password, so there's not a risk of phishing. I use certifi.ca as my main OpenID delegate, and I actually find using my OpenID considerably streamlined because of the certs-based authentication.

By: Patrick

Patrick — Tue, 27 Feb 2007 20:08:17 +0000

Hmmm, I had to look at the spec to see where the crypto was involved, and I'll be honest, I don't fully understand it. I don't see why your proposal wouldn't work just as well.

As for the phishing, I think browser integration is a good way to go. I don't think people would be changing their identity providers that often, so it wouldn't be a hassle to have to specify them in the plugin options. But I still think the bookmark-based solution described here is the simplest.

By: e

Tue, 27 Feb 2007 14:31:25 +0000

I'm not sold on OpenID. The idea behind it is very good, but it puts too much weight on crypto. I tried writing a WordPress plugin for it when the protocol first came out, but I didn't have the crypto extensions that I needed compiled into PHP.

The goal of the system is to verify that a given user is associated with a website. I would like to see a lighter version of OpenId that performs its verification through publishing. In other words, the challenger would ask the user to verify themselves by making altering a webpage on the site to display a nonce of the challenger's choosing.

Regarding OpenId and phishing: what about adding some browser integration to get around the phishing attack? That or a long-lived cookie that gave the site providing the auth service a different look would both allow the user to verify that they are at the site the expect, rather than a site of the attacker's choosing.