-
Created by
Phil Benchoff, last updated on Mar 12, 2008
1 minute read
Background
- OpenID.net - developer-friendly, home of specifications
- OpenID Enabled - home of software modules
- Simon Willison's OpenID Info
- The Implications of OpenID - Google tech talk by Simon Willison explaining OpenID and some of its implications.
- OAuth - An open authentication method that allows users to delegate authorization to a subset of their data.
Providers
An OpenID provider authenticates a user's OpenID id, c.f. CAS server.
- MyOpenID.com
- StartSSL - OpenID with SSL certificates.
- AOL
- Yahoo!
- Sun - Sun employees have OpenIDs.
Consumers
An OpenID consumer is a web site that uses OpenIDs for authentication, c.f. CAS-enabled application.
Modules
Security Notes
- It is relatively easy to create an OpenID provider that proxies some other authentication system. If users want to use a particular credential, someone will build the proxy. Organizations ought to consider providing an official service rather than letting an outsider develop a proxy.
- OpenID asserts ownership of a URL (OpenID). This is more-or-less equivalent to any authentication system that will send password reminders to an e-mail address (which asserts ownership of that e-mail address).
- In some ways, a system that will reset passwords based on a list of questions is the equivalent of single sign on. If the same questions and answers are used on multiple sites, compromise of one may compromise the others.
Leftovers
Random Notes
- You can claim ownership of a URL
- Pick your own provider
- Relying party redirects you to provider
- Automation of login? Same web-centric issues as CAS?