gnuherds-app-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenID: Why and how we should use it


From: Antenore Gatta
Subject: OpenID: Why and how we should use it
Date: Fri, 6 Jun 2008 08:06:09 +0200

Hi all,

as agreed this is my attempt to show why and how we should implement OpenID

First of all is important to remind what is OpenID:

OpenID eliminates the need for multiple usernames across different
websites, simplifying your online experience.

OpenID is an open, decentralized, free framework for user-centric
digital identity. OpenID takes advantage of already existing internet
technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people
are already creating identities for themselves whether it be at their
blog, photostream, profile page, etc. With OpenID you can easily
transform one of these existing URIs into an account which can be used
at sites which support OpenID logins.

Just try to remember how many accounts and password you have, if you
are even able to remember how many accounts do you have is already a
success.

- Why we should use OpenID?

One reason is explained above, "eliminates the need for multiple
usernames across different websites", but this is from a user point of
view.

Gnuherds should use OpenID because out there there are already over
160-million OpenID enabled URIs, because Companies like Google, AOL,
Microsoft, Sun, Novell, etc begin to accept and provide OpenIDs.

Nowadays single sign on, single identity and so forth are a need, we
cannot loose the train.

Some people argue that OpenID is not safe, the answer is that is not
safe as other login system are, it's just NOT more vulnerable then
other authentication systems.

The great advantage of OpenID, as is open, is that you can have some
OpenID providers and you can choose how and when to use each of them,
you can build different identities and provide the data that you want
when you want. In any moment you can choose "to trow away" one of your
identity and unsubscribe in the same times to different service
provider.

Enabling Gnuherds to use OpenID will attact all of that people who are
bored to have thousands user accounts.

- How we should use OpenID

IMHO OpenID should be a login option, users must have the freedom to
choose the OpenID method or the classical user/password way.
This it means that we should add a table that maps users and OpenIDs URIs.

1. User choose how to login

If he choose the normal way, nothing change
If he/she use the OpenID way...

2. Server checks to see if the OpenID is a delegate, if so, it finds
the source OpenID server and redirects the user as appropriate (i.e.
to login and to allow access).
3. The OpenID will redirect the user back to our server
4. Our server will now run a callback to the OpenID server which
authenticates the whole process.
5. If the OpenID responds with 'ok', we'll proceed, otherwise, there
was some problem with the log in process.

In this way we can keep control on who and how access gnuherd and turn
off OpenID if we find that OpenID is not safe (in a particular
moment).
Imagine that a provider is under attack or it's not anymore trusted
(by us or by the community) we can:
  Decide to remove the untrusted provider.
  Send an email to everybody is mapped with that provider and doesn't
have a normal account with instruction on what to do
  Send an email to everybody is mapped with that provider and who have
also a normal account with instruction on what to do.

I hope that I was enogh clear, please feel free to add any comments
and/or ask any question

KR
Antenore




reply via email to

[Prev in Thread] Current Thread [Next in Thread]