Re: OpenID: Why and how we should use it

[Davi Leal]

Antenore and MJ were right!  We have to add OpenID support. Earle Martin 
wrote: "Users want OpenID; the phishing issue is one the industry as a whole 
has to address."

I have been advised to use this PHP OpenID library:
  http://openidenabled.com/php-openid/

We can carry it out when we get time or more developers. I am developing now 
other features: adding "donation pledges" and "volunteers" support. Nicodemo 
has already committed one patch.

  task: http://savannah.nongnu.org/task/?6782



Antenore Gatta wrote:
> as agreed this is my attempt to show why and how we should implement OpenID
>
> First of all is important to remind what is OpenID:
>
> OpenID eliminates the need for multiple usernames across different
> websites, simplifying your online experience.
>
> OpenID is an open, decentralized, free framework for user-centric
> digital identity. OpenID takes advantage of already existing internet
> technology (URI, HTTP, SSL, Diffie-Hellman) and realizes that people
> are already creating identities for themselves whether it be at their
> blog, photostream, profile page, etc. With OpenID you can easily
> transform one of these existing URIs into an account which can be used
> at sites which support OpenID logins.
>
> Just try to remember how many accounts and password you have, if you
> are even able to remember how many accounts do you have is already a
> success.
>
> - Why we should use OpenID?
>
> One reason is explained above, "eliminates the need for multiple
> usernames across different websites", but this is from a user point of
> view.
>
> Gnuherds should use OpenID because out there there are already over
> 160-million OpenID enabled URIs, because Companies like Google, AOL,
> Microsoft, Sun, Novell, etc begin to accept and provide OpenIDs.
>
> Nowadays single sign on, single identity and so forth are a need, we
> cannot loose the train.
>
> Some people argue that OpenID is not safe, the answer is that is not
> safe as other login system are, it's just NOT more vulnerable then
> other authentication systems.
>
> The great advantage of OpenID, as is open, is that you can have some
> OpenID providers and you can choose how and when to use each of them,
> you can build different identities and provide the data that you want
> when you want. In any moment you can choose "to trow away" one of your
> identity and unsubscribe in the same times to different service
> provider.
>
> Enabling Gnuherds to use OpenID will attact all of that people who are
> bored to have thousands user accounts.
>
> - How we should use OpenID
>
> IMHO OpenID should be a login option, users must have the freedom to
> choose the OpenID method or the classical user/password way.
> This it means that we should add a table that maps users and OpenIDs URIs.
>
> 1. User choose how to login
>
> If he choose the normal way, nothing change
> If he/she use the OpenID way...
>
> 2. Server checks to see if the OpenID is a delegate, if so, it finds
> the source OpenID server and redirects the user as appropriate (i.e.
> to login and to allow access).
> 3. The OpenID will redirect the user back to our server
> 4. Our server will now run a callback to the OpenID server which
> authenticates the whole process.
> 5. If the OpenID responds with 'ok', we'll proceed, otherwise, there
> was some problem with the log in process.
>
> In this way we can keep control on who and how access gnuherd and turn
> off OpenID if we find that OpenID is not safe (in a particular
> moment).
> Imagine that a provider is under attack or it's not anymore trusted
> (by us or by the community) we can:
>   Decide to remove the untrusted provider.
>   Send an email to everybody is mapped with that provider and doesn't
> have a normal account with instruction on what to do
>   Send an email to everybody is mapped with that provider and who have
> also a normal account with instruction on what to do.
>
> I hope that I was enogh clear, please feel free to add any comments
> and/or ask any question