20 acres ~ 360 degree mountain top views ~ Log home ~ $799,000

OpenID/CardSpace - Is it time?


If you already know about OpenID, you might want to skip ahead to "More Thoughts"

What is OpenID?

OpenID is method to authenticate users on your sites.  While it can do more, it allows for a single sign in for various websites.   Under this system, a user simply uses a URL as their sign in for the site, which website will redirect the user to for signing in.  The URL is the address and often user identifier, of an OpenID server that controls their identity.  The user can then use SSL to sign into the OpenID host and then is referred back to the calling site with authorization to the calling site.

The nice part about the OpenID system is that you can use any OpenID server to host your identity.  There are free servers such as http://www.MyOpenID.com where I have an account.  This account is my sign in URL which is: "http://RockyMoore.MyOpenID.com"  I can use this URL to sign sites that support OpenID.

For an example, there is a site called http://www.Jyte.com. You sign in to this system using your OpenID URL, so in my case, I simply sign in using my URL (I would enter in the sign in box "http://RockyMoore.MyOpenID.com" ) which it would then redirect me to RockyMoore.MyOpenID.com where I am prompted to sign in if I am not already signed in on the MyOpenID.com site.  Once signed in, I get redirected back to Jyte and am signed in as if I had signed in on the site directly.

You might wonder how this saves me anything.  First, I no longer have to remember a ton of passwords (or keep my master password file I use on my computer to note all of the user name / password combinations for the various sites I use).  Next, the site I am visiting does not ever get their hands on my password, which can be a real problem if you use the same password at multiple sites as they could try your password on other sites and hack your accounts.

You might be saying, "Okay, but it seems like it takes a lot of extra steps to sign into a site with all the redirection".  It can take more steps, but does not have to, it depends on your OpenID host.  The MyOpenID.com host gives you the ability to remain signed into the system.  When you have already been signed into the MyOpenID.com site and a website refers you back to sign in, the OpenID server simply prompts you to either allow or not the sign in to the calling site.  Even this prompt to allow can be eliminated by simply saying to always allow you to sign in and from that point on, if you are already signed into the OpenID server, when the website you visit redirects you to the OpenID server, it will then just redirect you back to the calling system with authorization to sign in.  Yep, no need to enter or click on anything at the OpenID server if you are already signed into the system.  That makes for quick sign in.

After using it for a day, it does seem pretty slick! Just wish most of the sites I use would adopt it as it would make my life much easier than keeping long lists of user name / password combinations!

More Thoughts!

The only negative I have seen so far, is the possibility for abuse via phishing schemes.  Let us say you visit a site and try to sign in with your OpenID URL, and the site your are visiting happens to be a hacking site setup to fool you.  Instead of sending you to your OpenID server like MyOpenID.com, it redirects you to a look alike site and you unknowingly enter your password to sign in without noticing it is a fake site.

While this can be a problem, some OpenID servers use methods to get around this such as with MyOpenID.com where you can stay signed into the server and never sign in from a redirection, if you happen to not already be signed into the MyOpenID.com site, you would open another browser link and then sign into the system from your like to MyOpenID, not  the referring site.  I could actually envision a simple solution of a software program running in the system tray that signs you in or out of MyOpenID.com (or other OpenID servers) where you never sign in through the browser.  Something of that nature would eliminate any risk.

The only other problem is if people at an OpenID server allowed your information to be exposed or used it directly by them to access all the sites you use.  This is possible though in just about any aspect of security but does not have to be a problem.  First, you should pick a host you trust if you plan to use OpenID for anything more that simple sites of little value.  If it is a big concern and you do not trust other hosts, you could run your own server on a domain of your own and keep all your data there without risk (other than someone hacking your site).  Therefore, I do not exactly call this a negative as it would happen with anything.

With these issues in mind, it is still far safer to use OpenID and keep your information in a single location, than allowing other sites all over the world to which you have memberships to manager your data.  If a person is worried about a single location, they can use multiple OpenID servers for different levels of sites if they desired so that if any one of them were compromised, it would not hold all the info.

There is a lot of talk now about Microsoft CardSpace and OpenID.  Here is some good information:

http://www.hanselman.com/blog/CorillianCardSpaceAndOpenIDDigitalIdentityIsHappening.aspx

Be sure to check out the flow for OpenID 1.1:

http://openid.net/pres/protocolflow-1.1.png

Seems pretty simple :)

OpenID Software?

Okay, so much for information on the OpenID system, now down to the software side of things.  It appears that the consumer end of OpenID (what you would use on your site to accept people logging in with OpenID) comes in various packages.  They have a .NET/C# package listed, however it is not C#, is is .NET but built in "Boo".  Why "Boo"?  I think  it is because "Boo" is suppose to have a syntax close to Python which what this module was translated from.

I could not find a C# OpenID consumer or server package.  While you can use the Boo version as it does provide an assembly,  I would rather have some C# source for such a package.  It could be decompiled back to C#, but I have toyed with the idea of converting it.  I think it is strange that a number of people are trying to promote OpenID but there is not native C#/.NET package out yet.  I think a simple version with full C# source would probably help promote OpenID to the Microsoft world much quicker.

At this time, I am thinking about implementing OpenID on several of my sites and maybe looking into getting it integrated with DotNetNuke, but have to see how time works out. 

My biggest problem at the moment is if I should use OpenID or CardSpace.  I know work is moving to use OpenID on CardSpace, but which to implement at this time is the question. From what I can tell, OpenID would be more open to users but CardSpace would probably easier to implement.  Could OpenID be the next RSS?

posted on Monday, February 12, 2007 3:39 PM
Filed Under: Web Dev/ASP.NET/C#   ** All Categories  
<< New enhancements to VS WYSIWYG! | Home | Continuing frustration with web "standards" >>

Comments

Gravatar
# re: OpenID/CardSpace - Is it time?
Posted by Daniel Bartholomew
on 3/14/2007 4:05 PM
I've just completed a first cut of DotNetNuke and CardSpace integration.

I haven't looked at OpenID at all, but I know there are many people interested in using OpenID with DotNetNuke.
Gravatar
# re: OpenID/CardSpace - Is it time?
Posted by Thinker
on 3/30/2007 11:02 AM
Glad to hear of the work on single signin. This is one of my wishlist items as most DNN sites require you to create a membership for almost everything. That is a lot of user name/passwords to remember :0)

Yeah, my preference is OpenID. It seems to be easier on the user side of things as it is an easy concept to grasp. A person only has to have an OpenID account somewhere and then they can sign into any site supporting OpenID by simply pasting in their OpenID url. Not matter what computer you happen to be logged into (library, work machine, laptop, mobile phone), you can simply enter you url into an OpenID supporting site and you are good to go. It supported today by all platforms.

The best part is that your url even though it is public cannot be stolen or used except by you. OpenID provides a good way to ensure that only a user who created an account will be the one using that account.

From the website end of things, OpenID does not mean that the person creating an account is even human, it is just that you no longer have to worry about passwords handling and people losing their passwords. Still, the ease of use to the users is what it is all about.
Post a comment










 

Please add 3 and 8 and type the answer here: