The Macrosite for News, Analysis and Opinion about the Future of the Internet
Greg Hughes

ID Silos Call Out for a Trusted Third Party

Written by Greg Hughes
7/23/2008 4 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Word on the street is that MySpace is soon going to be an OpenID issuer for all its user accounts, in much the same way that Yahoo enabled its accounts several months ago. With the MySpace news and several intervening conversations I've had since the Yahoo announcement, I'm becoming more and more concerned that the great idea that is OpenID is at risk.

Don't get me wrong -- I think it's terrific that MySpace and Yahoo and others are on board. You have to start somewhere, and MySpace has indicated it may become a relying party in the future, so it's not all bad. And adoption by industry's big players is critical to OpenID's future success and realization of all that OpenID can provide.

Perhaps it's a bit of a Catch-22 though: In order to get a standard off the ground, you have to get the buy-in of some heavy hitters, and when they do, you have to hope the standard meets their needs, or is flexible enough without disrupting how the standard's already adopted by everyone else out there.

MySpace says it plans to join the OpenID crowd as a provider only. In other words, like Yahoo, it won't trust other OpenID providers when it comes time for you to access their site. While I understand the business reasons for this, the concept and dream of an Internet-based single sign-on in a secure, trusted environment only works if the "trust" side of the equation works and gets adopted.

By the way, if you’re new to OpenID, here's a quick visual primer that I recommend. It's helpful in understanding the difference between a provider and a relying party, among other things.

The concept behind OpenID is one username and password for every Web site accessed. When big companies create identity silos, single sign-on gets squashed.

I've questioned before whether trust for business use is really viable to expect from OpenID. For large Internet companies and classic businesses such as banks, identity is everything, and any identity system must be substantially proven, sound, and well secured. For businesses that require strong authentication such as banks, many have concluded that OpenID on its own probably doesn't fit the bill. It would require some form of stronger authentication on the back end to provide the level of security required for that kind of trust.

It's also important to point out that authentication and identification are two different things. I can assert my identity to you by passing along some information, but you can also choose whether to trust what I assert, and whether to verify the information. Ask yourself this: If you receive some information about me as part of a login process, how do you know it's actually me that's sending it, and not a criminal pretending to be me, trying to access my account? That's where authentication comes in. I have to prove somehow that it is, in fact, me. This is typically done via a process based on detailed information (called "shared secrets") that only you and I know or with other factors, such as security tokens.

Which brings me to what I think is an important question: What is the one company or organization that everyone would likely trust to authenticate OpenID users?

To help answer this question, I asked around. In huge numbers, people answered much the same way I would: "Visa," they told me. Some also suggested American Express or Mastercard. A couple larger banks were mentioned, too. A few said "the government" but changed their minds later. Still, the tilting toward financial services companies was unmistakable.

Why? These companies already have large, proven, secure identity systems that work and brands that consumers trust, plus active anti-fraud measures aimed at stopping bad activity. Credit cards are accepted everywhere because merchants trust Visa to handle their payment transactions, based on experience. MySpace trusts Visa for financial transactions, and so does Yahoo. Visa already has the ability to authenticate me. Why should Visa be interested? Simple: for the Visa name to be associated with every login or online transaction is great for its brand identity and prominence.

OpenID can be the single-sign on infrastructure that allows end-user management of personal information, while being backed up by a few key, trusted identity providers. That would ensure our OpenIDs have the strength and backing that would allow merchants and other Internet sites to trust their authenticity.

I don't pretend to believe that there is "one right way" to create trust among users, e-businesses, and Website operators. There are some great companies out there commercializing OpenID and helping people implement it, so there's more than one way to solve this problem. Is Visa the best third-party to make this happen? Should we wait for a series of bilateral trust agreements among AOL, Google, Microsoft, MySpace, Yahoo, and others? Write us here or post your suggestion on the message board below.

— Greg Hughes, independent IT security consultant and blogger

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts, or maybe a taser gun – just the thing to keep that DDoS and XSS malware at bay.
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Greg Hughes
Thinkernetter
Wednesday July 23, 2008 4:48:31 PM
no ratings

You said:

I signed on way early for a webcast/panel discussion that is taking place today which covers hot  Enterprise/Web 2.0 topics and I've been knocked off my feet by how state of the art the user interface is of this "medium" previously.

Ahh - Alas, Web 2.0 and state-of-the-art are not synonymous when it comes to proper security architecture. We have a long way to go in teaching good dev architecture and practices.

Greg Hughes
Thinkernetter
Wednesday July 23, 2008 4:45:39 PM
no ratings
Yes, if and when the big players already involved start to trust, things should change. The participants so far are a good start. Still, I'd like to see a player join that is already established as a trusted part of existing relationships. Not instead of, but in addition to, the current players.
Mr. Roques
Researcher
Wednesday July 23, 2008 2:02:21 PM

On June 30th, InternetEvolution hosted a seminar called: Managing Personal Identity on the Internet (You can watch it from the Webinar Archive I linked to).  It was about OpenID and how it's affecting, and it will continue to affect the internet.

It gives a nice perspective on what's going on!

Regarding the MySpace announcement, I think that will help a lot to the OpenID cause. Not because of the users it adds to the already big OpenID space but because MySpace needs to desperately offer new things to keep (and maybe increase?) their users.

By offering OpenID and maybe becoming a symmetric service (issue and accept),  they can put pressure on the other big companies to follow them.

jwallace
IQ Crew
Wednesday July 23, 2008 12:40:03 PM
no ratings

That sounds great! I hope I am an early adapter(hearer) of this initiative. Maybe that would solve a problem that I encountered today (I feel so EXPOSED!!).

I signed on way early for a webcast/panel discussion that is taking place today which covers hot  Enterprise/Web 2.0 topics and I've been knocked off my feet by how state of the art the user interface is of this "medium" previously.

I came to a screeching halt when I noticed this (below) red flag in the URL parameter within my browser however:

http://anonymous.xoxo.com/log_thru.jsp?user=micCheck1&pass=micCheck2&seid=xxxx&id=

WAS THAT LOUD ENOUGH?

If I wore a hat, that hat would have a hole in it big enough where it would seem like I was wearing a visor around my neck.

Since I don't wear a hat, I'm not sure as to whether there is probability of the above url being indexed somewhere, somehow. And if that is not possible, someone walking by just might see that info if the window wasn't minimzed, thus a vulnerability still exists...yeah?

I'm all for OpenID and I hope it catches on in a fail-safe/secure fashion fast.

P.S. can you request that it(web service?) houses a profile template also so it can automagically populate the profile details on any site that I choose to register/log in at?

 

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Greg Hughes
Greg Hughes
Greg Hughes   11/19/2008   17 comments
In a world where those of us in IT are expected to provide bullet-proof client security solutions in order to make basic Internet activities like financial transactions and sharing of personal information safe, one of the more critical layers of Internet security is the client security software suite. An announcement made Monday has the potential to shake things up in this critical technology space -- as it raises questions about what the future of safe Internet client security will be.
Greg Hughes
Greg Hughes   9/4/2008   9 comments
Google (Nasdaq: GOOG)'s new Chrome browser does lots of things the vendor intended, and at least one it didn't: Chrome's "carpet-bombing" vulnerability that could be used to perform an effective form of social engineering attack against unsuspecting users.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Feb 23rd
2pm EST
Thu
Mar 4th
3pm EST
Tue
Mar 9th
an IBM information resource
sponsored content
big blue blog
Todd Watson
IBM is announcing today the first of its Power7 processor-based systems and the Power7 processor itself at an event in NYC.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
CMP Media LLC
Internet Evolution – not for thickies
Why iPad Isn't an Enterprise Winner
Tom Nolle
If you’re a slightly gray, mid-level manager who travels a lot, you may be on the way up and worthy of professional respect, but one thing you most definitely are not is “cool.” Still, while today’s youth may think you just crawled out of a paleolithic cave, there may be hope. The iPad from Apple Inc. (Nasdaq: AAPL) (supreme arbiter of coolness) just might make you older guys (or actually old guys like me) cool.
CLICK FOR MORE
Congress Hits the Snooze Button With China
Ira Winkler
In his recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.
CLICK FOR MORE
How to Assess Enterprise Feedback
Seth Grimes
I am a feedback junkie. Are you? If not, perhaps you should be. Others' views of our work matter, especially when those views are out there, positive or not, visible to anyone via social networks.
CLICK FOR MORE
Suing Over Social Net Complaints Can Be Brand Suicide
Pam Baker
Social media is all the rage in customer relationship management (CRM) these days. It even has its own tag: SCRM. Still, it remains a double-edged sword for the business world. Despite its newfound popularity, the flourishing of an army of “experts,” and the plethora of how-to information on the Web, some companies still don’t get that social media is a tool best used gingerly to attract and retain customers -- and not as a hammer to pound home a company message.
CLICK FOR MORE
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   8 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Steve Saunders' Outernet
The Death of Anonymity: Part 1
Part 1 of 4   |   See complete series
10|26|09   |   1:29   |   13 comments

The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Steve Saunders' Outernet
Welcome to 2029
10|6|09   |   2:01   |   4 comments

It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
Rob Salkowitz
The Use & Abuse of BI
2|1|10   |   2:19   |   4 comments

Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   7 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 3
Part 3 of 3   |   See complete series
10|21|09   |   1:40   |   No comments

Steve Saunders talks about the risks inherent in uncontrolled, widespread profiling of Internet users, and how one day this practice could form the basis of a new industry, the Outernet, which in economic terms will have outgrown the commercial value of the Internet itself.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 2
Part 2 of 3   |   See complete series
10|20|09   |   1:29   |   1 comment

Search companies and social networks are collecting incredibly detailed information about their users, says Steve Saunders, who predicts that these 'profiles' could one day become commodities to be bought and sold by companies on 'profile markets' or 'identity exchanges’ – the digital DNA equivalents of the financial and commodities exchanges on which stocks, oil, and gold are traded.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 1
Part 1 of 3   |   See complete series
10|19|09   |   1:52   |   6 comments

One of the most important Internet issues of all time is being ignored by the media. In this three-part video series Steve Saunders explains how search companies are turning the tables on their users by creating user profiles for financial gain, and how soon this trend will explode into full scale profiling.
The Incredible Hultquist
Social Networks & Hiring Pitfalls
10|16|09   |   2:16   |   5 comments

More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
Lee H. Berke
The Decline & Fall of Broadcast Television
2|9|10   |   1:00   |   No comments

Want to know the future of broadcast television? Take a look at broadcast radio’s past.
Tom Nolle
Everything New Is Old Again
2|9|10   |   2:13   |   6 comments

Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
what.the.ferraro
Email Marketing Gets Desperate
2|8|10   |   2:31   |   4 comments

Promotional emails will use just about anything timely to get people to buy things. Seriously, anything.
Steve Saunders' Outernet
America, Truck Yeah!
2|8|10   |   1:42   |   5 comments

Steve likes his new Dodge Ram 1500, but hates Chrysler's Web non-sales strategy. Rant on, li'l buddy.
what.the.ferraro
Twits Go Wild for Resignation Tweet
2|5|10   |   1:48   |   4 comments

Jonathan Schwartz is the first Fortune 200 CEO to resign via Tweet. Can he walk on water, too?
Full Nelson
Go With the FLO, Part 2
Part 2 of 2   |   See complete series
2|5|10   |   2:17   |   3 comments

Fritz and his sweater continue their review of Qualcomm's FLO TV.
Singer at C-Level
Goldilocks & the Data Center
2|4|10   |   3:39   |   2 comments

What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Full Nelson
Go With the FLO, Part 1
Part of 2   |   See complete series
2|4|10   |   2:39   |   1 comment

Qualcomm's FLO TV gizmo streams live TV shows. Tragically, they include the O'Reilly Factor
Eurotrash
High & Dry in Barcelona
2|3|10   |   1:08   |   No comments

Ray’s heading to Barcelona for the Mobile World Congress, and he’s not happy about it, the miserable git.
Sweeney Blog
No Sex, Please... It's the Super Bowl
2|3|10   |   2:24   |   2 comments

The Super Bowl ads that CBS rejected are turning up online, generating lots of attention but zero revenue for the broadcaster.