Andrew Pollack's Blog
Technology, Family, Entertainment, Politics, and Random Noise| Professional Services | Second Signal | Presentations | Andrew's Blog | Support |
Is there any interest out there in an Open ID implementation for Domino?
By Andrew Pollack on 03/08/2008 at 09:05 PM ESTOpen ID (http://openid.net) is an attempt to allow you to use the same credentials to log in on many web sites without having to remember different id and passwords. The idea is that you authenticate with any site that accepts Open ID based on credentials that you control. Your AIM address, for example, can be used as an Open ID. You may have many Open ID's, but a single Open ID can only be owned by one person.
This site explains it better, I think: http://janrain.com/openid/
Anyway, I don't think it would be too hard for me to create a general use Open ID implementation for Domino -- I'm just wonder how much demand there is out there.
re: Is there any interest out there in an Open ID implementation for Domino?By Daniele Vistalli on 03/09/2008 at 05:28 AM EDT
re: Is there any interest out there in an Open ID implementation for Domino?By Yancy Lent on 03/09/2008 at 01:39 PM EDT
I actually spent about a day researching this for planetlotus.org. I figured it
would be a nice way to have all the bloggers manage all their profile
information with out registering a username and password for the millionth
time. I got to a stopping point when i realized i needed to purchase ssl
support for the site to really get it to work.
I know this has nothing to do with Domino because the site is built on LAMP but
in doing the research i did find the adoption rate is increasing rapidly.
So, should you create a general use for Domino? Its bleeding edge security
which is right up your alley and I'd love to read about your progress with it.
would be a nice way to have all the bloggers manage all their profile
information with out registering a username and password for the millionth
time. I got to a stopping point when i realized i needed to purchase ssl
support for the site to really get it to work.
I know this has nothing to do with Domino because the site is built on LAMP but
in doing the research i did find the adoption rate is increasing rapidly.
So, should you create a general use for Domino? Its bleeding edge security
which is right up your alley and I'd love to read about your progress with it.
Yeah, that's the theory - but the truth is it isn't at all.By Andrew Pollack on 03/09/2008 at 01:50 PM EDT
See, Open ID is a nice idea, but it isn't security at all.
It is the authentication equivalent of unverified registration using an emailed
"click to validate" link as the only validation source.
Then, it gets worse because it subjects every site which participates to the
identification limits of the least stringent sites.
For example: It would be mind numbingly simple for me to establish an AIM
account name with some convincing variation of "YancyLent". If I'm smart, I go
back a step or two and first establish bogus hotmail and gmail accounts to do
the validation part of the AIM account creation.
Now, since my AIM name can be one of my Open ID authentication handles, I can
simply join as many places as possible using this new name and I can be you in
more places than you can be you.
Who does this really help?
The real mechanisms for this exist with SSL certificates issued by trusted
certificate authorities. We're used to this for web sites, but not yet for
individuals.
So far, the Thawte "Web of Trust" setup got fairly close to this, but it never
became practice for people to put their Thawte WOT certificates in browsers to
use as authentication for web sites. It surely could be done and would require
less complexity than this Open ID initiative.
I don't see any reason to believe that Open ID gives me any real way of knowing
who I'm dealing with - which is the purpose of authentication. It does,
however, open itself to a great many man in the middle, phishing, and identity
impersonation schemes that leave people more vulnerable than before.
The more I dig in, the less likely I am to want to go with this one.
It is the authentication equivalent of unverified registration using an emailed
"click to validate" link as the only validation source.
Then, it gets worse because it subjects every site which participates to the
identification limits of the least stringent sites.
For example: It would be mind numbingly simple for me to establish an AIM
account name with some convincing variation of "YancyLent". If I'm smart, I go
back a step or two and first establish bogus hotmail and gmail accounts to do
the validation part of the AIM account creation.
Now, since my AIM name can be one of my Open ID authentication handles, I can
simply join as many places as possible using this new name and I can be you in
more places than you can be you.
Who does this really help?
The real mechanisms for this exist with SSL certificates issued by trusted
certificate authorities. We're used to this for web sites, but not yet for
individuals.
So far, the Thawte "Web of Trust" setup got fairly close to this, but it never
became practice for people to put their Thawte WOT certificates in browsers to
use as authentication for web sites. It surely could be done and would require
less complexity than this Open ID initiative.
I don't see any reason to believe that Open ID gives me any real way of knowing
who I'm dealing with - which is the purpose of authentication. It does,
however, open itself to a great many man in the middle, phishing, and identity
impersonation schemes that leave people more vulnerable than before.
The more I dig in, the less likely I am to want to go with this one.
re: Yeah, that's the theory - but the truth is it isn't at all.By Yancy Lent on 03/10/2008 at 10:36 AM EDT
I follow, and you make great points; as always, but walk in my simple security
shoes for a sec. I'm looking for convenience and an easy way to tie people to
records in a table with as little maintenance as possible. The email validation
that you wrote of, is good enough at most of the thousands of sites this
initiative boasts of with the added benefit that its more convenient for users
in turn more registrations.
I too can't see this to be on par with an authority issuing certificates but
for sites like ideajam, openntf, bleedyellow.com.
It's all in the approach, creating an openid/Domino tie in would be great; just
make it buyer beware. Let the user decide if the level of security it provides
is sufficient for the site they intend to apply it to.
shoes for a sec. I'm looking for convenience and an easy way to tie people to
records in a table with as little maintenance as possible. The email validation
that you wrote of, is good enough at most of the thousands of sites this
initiative boasts of with the added benefit that its more convenient for users
in turn more registrations.
I too can't see this to be on par with an authority issuing certificates but
for sites like ideajam, openntf, bleedyellow.com.
It's all in the approach, creating an openid/Domino tie in would be great; just
make it buyer beware. Let the user decide if the level of security it provides
is sufficient for the site they intend to apply it to.
re: Is there any interest out there in an Open ID implementation for Domino?By Jim Knight on 03/09/2008 at 07:32 PM EDT
Yeah, I was asking someone about this recently. I think it would be a nice
feature in the Domino bag of tricks given that there are more commercial web
apps are using it.
feature in the Domino bag of tricks given that there are more commercial web
apps are using it.
re: Is there any interest out there in an Open ID implementation for Domino?By Jim Knight on 03/09/2008 at 07:34 PM EDT
PS - I think it would be nice for Domino web apps that don't need 'true'
security but need an easy login capability.
security but need an easy login capability.
re: Is there any interest out there in an Open ID implementation for Domino?By Chris Miller on 03/10/2008 at 11:30 AM EDT
I am working heavily with this through the DataPortability.org stuff and having
it fully functional in Domino would be of great benefit.
it fully functional in Domino would be of great benefit.
Other Recent Stories...
- 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ......
- 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ......
- 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ......
- 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server
- 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned
- 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!
- 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.
- 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino?
- 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back.
- 02/15/2018Andrew’s Proposed Gun Laws
here in italy (I'm part of the italian user group www.dominopoint.it).
I was looking into doing this and I wanted to support all the features
(authentication/mapping to a names entry, and extra fields exchange).
I can't see it as being easy using pure domino (openid does some back-end http
stuff that needs state).
But if you say it's easy I'd like to contribute with work & testing.
Note: I'm on bleedyellow, we can get in contact trough sametime if you use it.