The Macrosite for News, Analysis and Opinion about the Future of the Internet
Greg Hughes

ID Silos Call Out for a Trusted Third Party

Written by Greg Hughes
7/23/2008 4 comments
DISCUSS   Digg   Del.icio.us   Reddit   Email This   TWEET THIS

Word on the street is that MySpace is soon going to be an OpenID issuer for all its user accounts, in much the same way that Yahoo enabled its accounts several months ago. With the MySpace news and several intervening conversations I've had since the Yahoo announcement, I'm becoming more and more concerned that the great idea that is OpenID is at risk.

Don't get me wrong -- I think it's terrific that MySpace and Yahoo and others are on board. You have to start somewhere, and MySpace has indicated it may become a relying party in the future, so it's not all bad. And adoption by industry's big players is critical to OpenID's future success and realization of all that OpenID can provide.

Perhaps it's a bit of a Catch-22 though: In order to get a standard off the ground, you have to get the buy-in of some heavy hitters, and when they do, you have to hope the standard meets their needs, or is flexible enough without disrupting how the standard's already adopted by everyone else out there.

MySpace says it plans to join the OpenID crowd as a provider only. In other words, like Yahoo, it won't trust other OpenID providers when it comes time for you to access their site. While I understand the business reasons for this, the concept and dream of an Internet-based single sign-on in a secure, trusted environment only works if the "trust" side of the equation works and gets adopted.

By the way, if you’re new to OpenID, here's a quick visual primer that I recommend. It's helpful in understanding the difference between a provider and a relying party, among other things.

The concept behind OpenID is one username and password for every Web site accessed. When big companies create identity silos, single sign-on gets squashed.

I've questioned before whether trust for business use is really viable to expect from OpenID. For large Internet companies and classic businesses such as banks, identity is everything, and any identity system must be substantially proven, sound, and well secured. For businesses that require strong authentication such as banks, many have concluded that OpenID on its own probably doesn't fit the bill. It would require some form of stronger authentication on the back end to provide the level of security required for that kind of trust.

It's also important to point out that authentication and identification are two different things. I can assert my identity to you by passing along some information, but you can also choose whether to trust what I assert, and whether to verify the information. Ask yourself this: If you receive some information about me as part of a login process, how do you know it's actually me that's sending it, and not a criminal pretending to be me, trying to access my account? That's where authentication comes in. I have to prove somehow that it is, in fact, me. This is typically done via a process based on detailed information (called "shared secrets") that only you and I know or with other factors, such as security tokens.

Which brings me to what I think is an important question: What is the one company or organization that everyone would likely trust to authenticate OpenID users?

To help answer this question, I asked around. In huge numbers, people answered much the same way I would: "Visa," they told me. Some also suggested American Express or Mastercard. A couple larger banks were mentioned, too. A few said "the government" but changed their minds later. Still, the tilting toward financial services companies was unmistakable.

Why? These companies already have large, proven, secure identity systems that work and brands that consumers trust, plus active anti-fraud measures aimed at stopping bad activity. Credit cards are accepted everywhere because merchants trust Visa to handle their payment transactions, based on experience. MySpace trusts Visa for financial transactions, and so does Yahoo. Visa already has the ability to authenticate me. Why should Visa be interested? Simple: for the Visa name to be associated with every login or online transaction is great for its brand identity and prominence.

OpenID can be the single-sign on infrastructure that allows end-user management of personal information, while being backed up by a few key, trusted identity providers. That would ensure our OpenIDs have the strength and backing that would allow merchants and other Internet sites to trust their authenticity.

I don't pretend to believe that there is "one right way" to create trust among users, e-businesses, and Website operators. There are some great companies out there commercializing OpenID and helping people implement it, so there's more than one way to solve this problem. Is Visa the best third-party to make this happen? Should we wait for a series of bilateral trust agreements among AOL, Google, Microsoft, MySpace, Yahoo, and others? Write us here or post your suggestion on the message board below.

— Greg Hughes, independent IT security consultant and blogger

This blog is part of Internet Evolution’s Security Clan, which looks at the present and future threats to Internet security and the methods being used to defend and protect users and organizations. Register here to join the Security Clan, and you might become eligible to win one of our limited edition T-shirts, or maybe a taser gun – just the thing to keep that DDoS and XSS malware at bay.
DISCUSS   Digg   Del.icio.us   Reddit   Email This
Current display:       newest comments first       display in chronological order
Greg Hughes
Thinkernetter
Wednesday July 23, 2008 4:48:31 PM
no ratings

You said:

I signed on way early for a webcast/panel discussion that is taking place today which covers hot  Enterprise/Web 2.0 topics and I've been knocked off my feet by how state of the art the user interface is of this "medium" previously.

Ahh - Alas, Web 2.0 and state-of-the-art are not synonymous when it comes to proper security architecture. We have a long way to go in teaching good dev architecture and practices.

Greg Hughes
Thinkernetter
Wednesday July 23, 2008 4:45:39 PM
no ratings
Yes, if and when the big players already involved start to trust, things should change. The participants so far are a good start. Still, I'd like to see a player join that is already established as a trusted part of existing relationships. Not instead of, but in addition to, the current players.
Mr. Roques
Researcher
Wednesday July 23, 2008 2:02:21 PM

On June 30th, InternetEvolution hosted a seminar called: Managing Personal Identity on the Internet (You can watch it from the Webinar Archive I linked to).  It was about OpenID and how it's affecting, and it will continue to affect the internet.

It gives a nice perspective on what's going on!

Regarding the MySpace announcement, I think that will help a lot to the OpenID cause. Not because of the users it adds to the already big OpenID space but because MySpace needs to desperately offer new things to keep (and maybe increase?) their users.

By offering OpenID and maybe becoming a symmetric service (issue and accept),  they can put pressure on the other big companies to follow them.

jwallace
IQ Crew
Wednesday July 23, 2008 12:40:03 PM
no ratings

That sounds great! I hope I am an early adapter(hearer) of this initiative. Maybe that would solve a problem that I encountered today (I feel so EXPOSED!!).

I signed on way early for a webcast/panel discussion that is taking place today which covers hot  Enterprise/Web 2.0 topics and I've been knocked off my feet by how state of the art the user interface is of this "medium" previously.

I came to a screeching halt when I noticed this (below) red flag in the URL parameter within my browser however:

http://anonymous.xoxo.com/log_thru.jsp?user=micCheck1&pass=micCheck2&seid=xxxx&id=

WAS THAT LOUD ENOUGH?

If I wore a hat, that hat would have a hole in it big enough where it would seem like I was wearing a visor around my neck.

Since I don't wear a hat, I'm not sure as to whether there is probability of the above url being indexed somewhere, somehow. And if that is not possible, someone walking by just might see that info if the window wasn't minimzed, thus a vulnerability still exists...yeah?

I'm all for OpenID and I hope it catches on in a fail-safe/secure fashion fast.

P.S. can you request that it(web service?) houses a profile template also so it can automagically populate the profile details on any site that I choose to register/log in at?

 

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Greg Hughes
Greg Hughes
Greg Hughes   11/19/2008   17 comments
In a world where those of us in IT are expected to provide bullet-proof client security solutions in order to make basic Internet activities like financial transactions and sharing of personal information safe, one of the more critical layers of Internet security is the client security software suite. An announcement made Monday has the potential to shake things up in this critical technology space -- as it raises questions about what the future of safe Internet client security will be.
Greg Hughes
Greg Hughes   9/4/2008   9 comments
Google (Nasdaq: GOOG)'s new Chrome browser does lots of things the vendor intended, and at least one it didn't: Chrome's "carpet-bombing" vulnerability that could be used to perform an effective form of social engineering attack against unsuspecting users.
5
of
IETV: the thinkerNet on film
5
of
2pm EST
Tue
Dec 1st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   11/20/2009   Post a comment
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year?  Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
white papers & case studies
an IBM information resource
sponsored content
Smarter Collaboration: How to Thrive in a Challenging Business Environment
Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Copyright © 2009 United Business Media Limited - All rights reserved.      About Us  |  Privacy Policy and Terms of Use  |  Contact Us
CMP Media LLC
Internet Evolution – not for thickies
To Cloud or Not to Cloud: IT Vendors Ponder the Question
Gordon Haff
Arms merchant or army? That's a fundamental question for vendors in the cloud computing space. Do they just sell their tooling to any and all comers, who then become the actual purveyors of hosted infrastructure, developer platforms, and software? Or do they offer their own cloud-based services, perhaps even keeping much of their technology in-house for competitive advantage?
CLICK FOR MORE
Groups Join Fight to Keep Big Brother Offline
Don Reisinger
Much has been made over the possibility of the U.S. government spying on Web users. There is a fear that through advanced technology, loopholes in federal regulations, and sheer gall, government officials will engage in acts that put the U.S. citizenry at risk. But whether or not the government is actually engaging in any activities online that puts its intentions into question is up for debate.
CLICK FOR MORE
Banks Cooperate for Better Risk Analytics
Mary E. Shacklett
With the value of toxic assets on the rise, large U.S. and European banks face many challenges on the road to recovery. Sharing key information may help these firms effectively track the way forward.
CLICK FOR MORE
How to Score, Not Bore, With Web Newsletter Graphics
Dan Cypra
A picture is worth a thousand words, or so the old saying goes. So understanding how to use images in e-newsletters effectively is quite important. Here are a few tips to ensure that your images in email newsletters work to your advantage.
CLICK FOR MORE
Steve Saunders' Outernet
The Death of Anonymity: Part 3
Part 3 of 4   |   See complete series
10|28|09   |   1:35   |   4 comments

What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
Steve Saunders' Outernet
The Death of Anonymity: Part 2
Part 2 of 4   |   See complete series
10|27|09   |   2:08   |   8 comments

By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
Steve Saunders' Outernet
The Death of Anonymity: Part 1
Part 1 of 4   |   See complete series
10|26|09   |   1:29   |   13 comments

The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Steve Saunders' Outernet
Welcome to 2029
10|6|09   |   2:01   |   4 comments

It is 20 years since the invention of the World Wide Web, and the Internet has changed beyond recognition since then. Steve Saunders peers into the future to predict what the Web will look like in another 20 years time – and he doesn’t like what he sees.
Steve Saunders' Outernet
The Death of Anonymity: Part 4
Part 4 of 4   |   See complete series
10|29|09   |   1:40   |   7 comments

In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 3
Part 3 of 3   |   See complete series
10|21|09   |   1:40   |   No comments

Steve Saunders talks about the risks inherent in uncontrolled, widespread profiling of Internet users, and how one day this practice could form the basis of a new industry, the Outernet, which in economic terms will have outgrown the commercial value of the Internet itself.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 2
Part 2 of 3   |   See complete series
10|20|09   |   1:29   |   No comments

Search companies and social networks are collecting incredibly detailed information about their users, says Steve Saunders, who predicts that these 'profiles' could one day become commodities to be bought and sold by companies on 'profile markets' or 'identity exchanges’ – the digital DNA equivalents of the financial and commodities exchanges on which stocks, oil, and gold are traded.
Steve Saunders' Outernet
Search Inversion & Profiling: Part 1
Part 1 of 3   |   See complete series
10|19|09   |   1:52   |   6 comments

One of the most important Internet issues of all time is being ignored by the media. In this three-part video series Steve Saunders explains how search companies are turning the tables on their users by creating user profiles for financial gain, and how soon this trend will explode into full scale profiling.
The Incredible Hultquist
Social Networks & Hiring Pitfalls
10|16|09   |   2:16   |   5 comments

More companies are trolling social networks to find and vet potential job candidates. Beware the pitfalls of blurring the line between personal and professional lives.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Facebook Lacks Social Skills
11|20|09   |   1:53   |   No comments

Facebook's 'Suggestions' for users demonstrate how little social networking sites understand about true social relationships.
Singer at C-Level
Smart Grid Opportunities
11|20|09   |   2:49   |   No comments

Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
Tom Nolle
Total Telephony Transcends Telepresence
11|20|09   |   2:11   |   2 comments

The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
what.the.ferraro
ThinkerNet Wins Min's Award for Best Blogs!
11|19|09   |   1:13   |   4 comments

ThinkerNet wins the Min's award for 'Best Blogs' – Internet Evolution's fifth award this year!
Full Nelson
SanFran.gov
11|19|09   |   8:51   |   No comments

Fritz has an exclusive talk with the mayor and CTO of San Francisco about that city's latest e-government efforts.
Robert D. Atkinson
America Has Much to Learn About Digital Piracy
11|18|09   |   2:09   |   No comments

The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Singer at C-Level
Connecting Stakeholders: Part 3
Part 3 of 3   |   See complete series
11|18|09   |   2:09   |   No comments

Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
Reiter's Block
Tweeting for Customer Support
11|18|09   |   2:20   |   No comments

When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
what.the.ferraro
Dogster.com More Popular Than Gov 2.0
11|17|09   |   2:05   |   1 comment

A lot of attention is being paid to launching Gov 2.0 Websites, but these sites aren't attracting a lot of visitors.
Reiter's Block
Is the BlackBerry 9700 'Bold' Enough?
11|17|09   |   3:07   |   4 comments

The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
TechWeb The Global Leader In Technology Media