Archive for August, 2008

mixi Supports OpenID with the Simple Registration Extension

Monday, August 25th, 2008

Last week mixi, the largest social network in Japan, become an OpenID Provider for all of their fifteen-million plus users; one in five Japanese web users are on mixi. While they are another large OpenID Provider — which some argue is a bad thing — they are the first large OpenID Provider to also support exchanging profile information. While early adopters using OpenID Providers such as MyOpenID.com, MyVidoop.com, and VeriSign’s PIP have had the ability to exchange profile information for well over a year with the Simple Registration Extension, this is an important step forward with larger OpenID Providers seeing the value in exchanging profile information as well. This means that when a mixi user logs in to a site using their OpenID, the site is able to request access to things from their profile like their name.

Earlier today, ReadWriteWeb wrote more about how Mixi Brings Sophisticated OpenID to Millions of Japanese Users asking why Facebook isn’t using OpenID for their Connect APIs and providing a good overview of why mixi adopting OpenID with Simple Registration is helping to push the envelope:

The moral of the story, though, is that another major social network now supports OpenID and is pushing the envelope with the features included. They aren’t acting as a relying party yet, allowing users to login with OpenID from other networks, but the functionality of Mixi user profiles has now increased dramatically thanks to open standards.

Along with mixi’s launch last week, Six Apart released a mixi commenting plugin for Movable Type. (Disclosure: I work for Six Apart) This plugin allows mixi users to comment on Movable Type powered blogs and have their name from their profile show up next to their comment.

All in all, great news for OpenID coming out of Japan!

Challenges facing OpenID

Sunday, August 10th, 2008

Its been an busy week in the world of OpenID. On Friday Ben Laurie announced a security vulnerability around OpenID that relates to existing problems with DNS and certain SSL certificates. Discussions on the OpenID General mailing list have been fruitful and the major OpenID providers out there today have disclosed that they are either not vulnerable or patching quickly. It should also be noted that none of the providers listed at openid.net/get were ever vulnerable to this attack.

One of the greatest parts of the OpenID community is that the people developing this technology react so quickly to problems that inevitably arise. There is no such thing as 100% secure with anything on the Internet but we can (and have) put measures into place to react quickly as a community when issues like this occur.

OpenID has two challenges it faces to increase adoption and use; security and usability. This afternoon, Randall Stross of the New York Times published his “Digital Domain” column criticizing OpenID on both of these points. Its great to see people looking at security with regards to OpenID and asking the hard questions and it also highlights a few common misconceptions:

·  Authentication is out of scope for OpenID: Because there is no silver bullet for security, the way you authenticate your OpenID is actually out-of-scope of the protocol. As such, you can use whatever level of security you want to protect your OpenID. We have seen vendors offer unique solutions like Verisign’s VIP, JanRain’s CallVerifID and Vidoop’s ImageShield created to provide alternatives to passwords for authenticating users’ OpenID’s. OpenID allows companies both large and small to experiment with ways to authenticate their users without requiring buy-in from sites across the Internet.

·  Information Cards solve a different problem than OpenID’s: In his article, Randall mentions how Information Cards are more superior in terms of authentication compared to OpenID. In actuality, you can use an Information Card to secure your OpenID if you want and there has been a lot of work on this within the OpenID community. VeriSign’s OpenID provider even supports Information Cards in addition to token based authentication. Information Cards provide the means to securely authenticate you assuming you have the technology installed on your machine. In addition, Information Cards lack the ability to take advantage of one of OpenID’s main strengths, the destination or URL that a user has proved they own. The potential for this end-point for services is limitless and may serve as one of the key components driving OpenID use; the ability to move data from somewhere on the Internet that you have proved you own.

·  Nobody is really adopting OpenID: I’m always surprised to hear people say that just because the big players are only OpenID providers (and not consumers) that we’re failing here. I always try to remind people that this technology is only three years old and we’ve made tremendous strides since its inception. Not only that, the latest graphs continue to show hyperbolic growth. These things take time and again, security and usability will be key drivers to OpenID adoption moving forward.

I’m excited to see a lot of interesting efforts from the community to help with usability. Tom from Barnraiser.org has been doing a series of articles that describe some of these usability issues. We’ve seen community efforts such as Email Address to URL Translation, which allows users to enter their email addresses instead of URL’s and Identity in the Browser (IDIB) which is hoping to bake OpenID functionality (and increased security) into all of the modern browsers.

On the security front, we’re seeing traction in the development of the OpenID Provider Authentication Policy Extension (PAPE) which will help sites be able to determine which providers they will trust based on the means of authentication the user has used to get access. Both Sxip and JanRain have implemented early prototypes of PAPE on their OpenID providers.

We’ve got a long way to go here with OpenID and getting it to a point where it can stand in the face of criticism but I’m confident of this community that has come together through the first three years to get where we are today. I still firmly believe the best is yet to come.

From openid.net/2008/08/ 1 26 October 2008