Tag Archives: OpenID

SPML, SAML, OAUTH, and Impedance Mismatch

Nishant Kaushik posits an interesting question; can OAUTH fill the provisioning role in Just-in-time federated provisioning. Mark Wilcox follows up here and here.

I agree with Mark’s commenter who suggests that a SAML attribute service fills the role just as well. Mark suggests that a SAML attribute query is too difficult to implement in some development environments. But I am not sure that I buy the argument that there are environments where doing the SAML SSO is doable but doing the attribute query isn’t.

Regardless all this got me thinking about impedance matching. When we wear our standards hat, all things are possible. But we need to step back at times and put on our developer hat and think about how are designs are going to be implements. While we could mix SAML and OAUTH to support JIT federated provisioning, implementation now requires tools, libraries, and implementers that can implement both SAML and OAUTH as well as handle the rough edges where the don’t mesh well. That’s an impedance mismatch in my opinion.

Advertisements

Craftsman OpenID

This is interesting. Sears (and Kmart) web pages now support OpenID for consumer authentication (as a relying party). I just gave it a spin on the Sears web site and it worked quite nicely with my Yahoo OpenID. When reauthenticating it remembers that I used my Yahoo OpenID last time and gives me that as a choice.

This is a really good application of OpenID. It gives me quick and easy access to consumer information without having to fill register yet again.

The only downside was that it required me to pick a unique screen name. I would have preferred it to give me the option to use my Yahoo OpenID as my screen name.

Other than that, it’s nicely done.

Jeff’s OpenID account gets hacked

No, not me (at least not me so far as I know). The Jeff in question is Jeff Atwood of the Coding Horror blog (one of my favorite dev blogs). Jeff relates how his OpenID account was hacked here and here. It’s fascinating reading, especially because the hacker was of the friendly sort who apparently just did it to point the vulnerability.

The hacker was able to obtain the unsalted hash of Jeff’s password on a different site. He then looked up that password using one of the reverse hash web sites available. He then guessed Jeff’s OpenID provider and tried the password there. Since Jeff had used the same password in both places, the hacker was able to log into OpenID and impersonate Jeff at Jeff’s StackOverflow web site, which depends on OpenID.

Here is an interesting question: is it dangerous to reveal your preferred choice of OpenID providers? I suspect there is nothing dangerous about, given peoples propensity to flock to one of the big players anyway. Even if there are a plethora of OPs, the bad guys will just script a solution that tries a list known OPs until a hit is made.

An OpenID game changer

One theme I have harped over the last year of so is that it means little for the big content providers to become OpenID providers if they don’t also become relying parties. You can’t build a highway with nothing but on ramps.

So far the vast majority of OpenID announcements by the big players have been to be yet another OP, or just signing up for the OpenID Foundation. It looks like the game is finally changing. Apparently Facebook is getting ready to become an OpenID Relying Party. From Inside Facebook:

Less than three months after joining the OpenID Foundation’s board as a sustaining corporate member (i.e. putting its weight and financial support behind OpenID), Facebook has just announced at the “technology tasting” event this afternoon at its Palo Alto headquarters that users will soon be able to log in to Facebook with their OpenID.

This could be huge for OpenID adoption, if it really happens.

An interesting OpenID Provider

There is an interesting new OpenID provider called MyID.is. The stated goal is to provide a verified OpenID:

MyID.is trying to answer a simple question, how can we provide our users a digital ID that have been certified with the same level of trust as if we met in real life with a valid ID delivered by a governement administration but without the need to actually meet in real life?

By certifying your ID you’ll be able to certify all of your online presence, such as your blogs, your Facebook, LinkedIn profiles…, your comments,… and any kind of online presence that is part of your Identity 2.0.

They validate who you are by billing you a small amount via credit card and then sending you a code via postal mail. You have to wait until to get the code to use the OpenID.

What I find most interesting about this service is that they are not trying (at least at this point) to solve the age verification issue. That’s a good idea in my opinion as I feel that the age verification issue is one of the most oversold issues in the identity space.

There is also a good ARS Technica article on MyID.is here.

A different view on OpenID branding

Nico Popp has his new year’s wishes for OpenID here. There are a lot of good suggestions, but there is one I would be beg to differ with:

Everyone agrees that OpenID needs to emerge as a brand that consumers can recognize.

Clearly Nico’s definition of “Everyone” is slightly different from mine. At the very minimum it doesn’t include me. But putting semantics aside Nico continues:

Similarly to Visa for payment, Dolby for music and Gore-Tex for rainwear, OpenID ought to become the “ingredient brand” for identity. The reason the OpenID brand needs to emerge is that we need a “network mark” that transcends all the identity silos. Very much like consumers know that their bank card will work when they see the Cirrus network logo on an ATM machine, consumers need to know that their identity will work on a Web site that carries the OpenID network logo. A network mark has a simple yet powerful meaning. It does not matter whether the card is from Bank of America, Wells Fargo or WAMU, it just works with this ATM machine. It does not matter whether the identity is from Google, Yahoo! or MySpace, it just works with this Web site.

In the OpenID brand lies the one big problem. Although a strong OpenID brand will prove to be good for everyone in the long run (by creating ubiquitous interoperability, Visa helped card issuing banks make more money than they would made on their own), at this time, none of the large consumer companies involved in the OpenID foundation have any incentive to promote another brand than their own. Therefore, the foundation needs to create a forcing function. My recommendation would be to leverage its ownership of the OpenID intellectual property to enforce the network mark. Let us keep OpenID free to all, but let us require everyone who uses the technology and benefit from the free IP to display the OpenID logo.

I don’t think this is a very promising strategy. Rather than OpenID being branded, I believe the important branding is the Identity providers that would enable OpenID. In other words the brand should be Yahoo, Google, and other big identity providers, not OpenID. In the same way the brand the Facebook users care about is Facebook, not Facebook Connect.

Trying to push the OpenID branding above the identity provider branding will inhibit OpenID adoption, not enhance it.  You are then asking identity providers to do something not in thier own best interest.

The average user doesn’t care about OpenID. What they care about (if they care about such things  at all) is that by using OpenID they can use the identity provider they already have a relationship with to explore new and interesting services that would automatically know who they are, without them having to register at every page.

The comparison to Visa is a bit off the mark. People care about Visa because it is an enabling service. OpenID is not. It is a means by which an identity provider becomes an enabling service.

Just my two cents.

Statistical Entrails Reading

Paul Madsen points out this Chris Messina post about a study of OpenID usage and awareness among Mechanical Turk users. Paul makes some interesting distinctions about SAML being envisioned to be invisible to the end-user while OpenID was invisioned to be a “branded”.

Personally I believe that OpenID adoption will happen en-mass not when it is branded by OpenID, but co-branded primarily by a small set of large identity providers. A lot more people are “aware” they have a Yahoo account or LiveID account than an OpenID ID.

But what I find absurd is all of the statistical entrails reading that is happening to determine what the OpenID adoption rates are when a couple of large identity providers could simply just tell us. Why don’t the big OpenID identity providers simply publish OpenID authentication stats on a monthly basis?

The providers must have those stats internally. The fact that they are not published says a lot more than any studies about brand awareness.