Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Follow-Up - My take on Open ID - It takes us the wrong way. This is a problem that already has better solutions.

By Andrew Pollack on 03/12/2008 at 08:23 AM EDT

Open ID is an attempt at the concept of an ID Vault for browser based access to web sites. As a vault, it gets fairly close. Unfortunately, it's storing credentials that are themselves inadequate. If the open ID method of sharing credentials could be applied to the storage of real credentials, it would be much more powerful.

I've looked into Open ID a bit more since I started talking about it in a previous blog entry. I've come to a few initial conclusions about it that are fairly disappointing.

It isn't what you want it to be

Open ID isn't security in any real sense of the word. Security is the applied combination of "Authentication" and "Access Control". While Open ID attempts to be about the "Authentication" part of the equation it doesn't really do that effectively. It isn't single sign-on either, although in some respects it is very similar.

Authentication is simply the method you use to be sure you know with whom you are interacting. To do that on most web sites, you have to pick a Login ID and a Password - your credentials. That's fine for making sure that the same person comes back to use the same ID next time. By itself, it doesn't tell you anything about the person who picked it. For that, each web site seeks to tie those credentials to you as an individual. The site management has to decide how important it is that they know who they're dealing with. For many, simply sending an authorization email with a confirmation link is good enough. For other sites, a minimal charge to a credit card is required. A few are more complex. Authentication isn't valid until you tie some credentials to some level of individual identification that is strong enough for your site.

Open ID doesn't do that. Like Single Sign-on, Open ID is a trade off. By providing the users of a site the convenience of having the same credentials work at many sites, it reduces the strength of the link between those credentials and any real person to that of the weakest validation method of any participating web site. Your AIM login name can be a valid Open ID. Does knowing your AIM ID provide me enough information to consider you a validated user?

There are already solutions to this problem

While so far they haven't been well supported in browsers, client side certificates were designed to deal with this issue. A certificate authority schema and authority tree exists already and works quite well. We use it for authenticating web sites from our browser every time we connect to a web server using SSL. Our browser accepts the certificate offered by the site, and if it has an authority chain that we recognize we consider the site a known entity. When I connect to my bank's web site, my browser automatically verifies that a certificate authority I trust has certified this particular web site as being who they say they are. It isn't perfect, but it works pretty well -- especially if you pay some attention to it.

To make this work at the browser side, a couple of things have to happen. First, certificates need to be easier to get. The Thawte Web of Trust (WOT) has been a good attempt at this, but realistically these are going to have to become more mainstream. Sites which do go to great lengths to authenticate real people -- like banks -- should be able to issue these certificates. To use a certificate, you have to enter a password. Maybe this is by logging into your PC, or maybe you have an additional password each time you present that certificate. Does this sound familiar? Yes, it is just like the Notes ID file. That's because it is exactly what the Notes ID file does in its own proprietary way.

In addition to making certificates more widely and accurately available, browser software (frankly, all network software) next has to make them easier to manage. Windows, Linux, and Mac OS X all have their own concept of a keyring to hold these kinds of certificates. None of them are easily portable. Would you know how (without looking into it) to take your certificates with you on a USB key and easily use them on another machine without changing the configuration of that machine? Of course not.

A truly transportable key management process, easy enough for any end user to understand how to carry their keys around is the missing piece. Browser revision cycles are shorter than that of Operating Systems, so its going to happen on browsers first -- but eventually it will have to be cleanly supported at the operating system level.

Users don't want to carry a keyring

The fly in the ointment on a portable key ring is having to carry the key ring around. Nobody knows this better than a Domino administrator. That's where the concept of an ID Vault comes into play. On the Notes and Domino side of things, that work is being done for the next major release of the product.

An ID Vault schema for internet standard credentials would be an excellent idea and likely well accepted. The question becomes, who runs the vault? That's the hidden strength of Open ID. The really good work they've done is in creating a fairly workable method for distributed, trusted id vaults.

Here's how a decent Authentication methodology could work

A. Make verified certificates easier to get. Certificates are out there now, but fairly well hidden and hard to get. Let banks, supermarkets, and anyone else issue them. Their level of trust can easily be validated based on their root and intermediate certificates. I could then have a certificate that is issued by Key Bank and says I'm Andrew Pollack, and that certificate authority (Key Bank) bears a stamp from Verisign that attests to Key's rigorous authentication standards.

B. Make the key rings where these certificates are stored much more easily transportable. Key rings are there now, but fairly well hidden and hard to use. They're also not very easily moved from machine to machine. That means the interface to pick your key ring needs to be front and center on browsers -- and eventually operating systems.

C. Implement a schema where you can store your key ring - encrypted - on any web service which provides an authentication service based on a common ID Vault schema.

The ID Vault schema needs to work like this:

1. At any participating web site, when asked for credentials, you enter the URL to access your ID via the ID Vault of your choice. (e.g. )

2. The web site makes a request to your vault for your credentials using a specific key of its own, while opening an iframe, popup window, or browser add-in which makes a secure SSL connection to that ID Vault passing the same key.

3. The ID Vault site now has two distinct connections to it. One from you and one from the server you're wanting to log into. Both share the same identifier. The ID Vault server presents you (In your secure popup) with whatever authentication method makes sense -- If you're on your home PC, a client side certificate can make it transparent, if not a password or secure id card or whatever is secure enough for you.

4. Once the ID Vault has authenticated you, it asks for permission to pass your credentials to the web site (which it names) that you're trying to log into.

5. Given permission, the ID Vault passes your credentials back to the other server and you're verified.

6. Once your credentials have identified you to the new site, it can issue its own cookie if it wants to skip this step in the future.

In the end, Open ID makes a reasonable attempt at an ID Vault schema but then falls down by providing credentials which are themselves not good enough for any but the most open of systems.

You can find out more about Open ID and make your own decisions here:

There are  - loading -  comments....

re: Follow-Up - My take on Open ID - It takes us the wrong way. This is a problem that already has better solutions.By Kerr on 03/12/2008 at 11:00 AM EDT
Interesting post Andrew, but I think you may be throwing the baby out with the
bathwater when dismissing OpenID.

OpenID is not about allowing sites to tie users back to real people, it's about
enabling users to manage there personal information across the web from one
place and providing extra security for the *user*.

A site enabling OpenID does not loss anything compared to how things work now.
What they gain is a much quicker way for users to open an account, which
currently can be a major hurdle.
Why would a site operator bother though?By Andrew Pollack on 03/12/2008 at 11:10 AM EDT
If I care at all enough to bother authenticating, why would I then accept as
credentials something which is absolutely unverified and unverifiable?

Seems hardly worth the trouble. For me, its better to just use a cookie to
remember what the user called themselves last time and leave it at that -- or
else do some real authentication.
re: Why would a site operator bother though?By Kerr on 03/13/2008 at 09:04 AM EDT
"If I care at all enough to bother authenticating, why would I then accept as
credentials something which is absolutely unverified and unverifiable?"

But you don't loss the ability to do any verification you do now, it just makes
it easier for the user to manage.
re: Follow-Up - My take on Open ID - It takes us the wrong way. This is a problem that already has better solutions.By Chris Miller on 03/12/2008 at 11:34 AM EDT
OpenID isn't just about verifying the person, but allowing the person a single
point of account creation and authorizing sites to use that single point.

While stronger ties to verification should be made, the theory of a vault where
I store my info and then allow others to use it based on my authorizations is
their first step. Also, there is more than one OpenID provider at this time,
which adds confusion
I think it is supposed to have multiple providers.By Andrew Pollack on 03/12/2008 at 12:27 PM EDT
Not only multiple providers for the server side, but end users can have many
different OpenID sources.

That cat is out of the bag already. You're not going to suddenly tighten
restrictions so that suddenly you need more than an AIM name to be an
authenticated person.

There isn't a mechanism to say my site only accepts OpenID from specific
authentication sources. If you buy into OpenID, you buy into the least
validated authentication source.

I haven't even gone into the potential for Man in the Middle and impersonation

Sorry man, I give it "close, but no cigar."

Or, in the scale of security solutions, I give it only 1 out of a possible five

Other Recent Stories...

  1. 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ...... 
  2. 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ...... 
  3. 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ...... 
  4. 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server 
  5. 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned 
  6. 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me! 
  7. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.  
  8. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino? 
  9. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back. 
  10. 02/15/2018Andrew’s Proposed Gun Laws 
Click here for more articles.....

pen icon Comment Entry
Your Name
*Your Email
* Your email address is required, but not displayed.
Your thoughts....
Remember Me  

Please wait while your document is saved.