David Recordon's shared items

Over 16 months after first declaring its support for the OpenID authentication platform, Microsoft has finally implemented it for the first time, allowing for OpenID logins on its Health Vault medical site. Unfortunately, Health Vault will only support authentication from two OpenID providers: Trustbearer and Verisign. Whatever happened to the Open in OpenID?

The rationale behind the limited introduction is that health is sensitive, so access should be limited to the few, most trusted OpenID providers. It certainly makes sense, but it also serves to underscore one of the problems inherent to OpenID: security.

The text-based passwords found scattered across the web simply aren’t very good for protection. We’ve heard countless tales of hacked or phished passwords leading to identity theft - what happens when a user’s entire web presence (including financial and health data) is tied to a single password? It’s a recipe for disaster.

To remedy the issue, a number of companies have come up with different ways to improve security. Trustbearer requires users to provide a physical ID “token” to verify their identity (users can order a $40 USB stick if they don’t already have one of the acceptable ID cards). Vidoop offers a free browser-based image authentication system that uses advertising to generate revenue. And so on.

With every new security measure comes a new, subjective, stratification of the system. The promise of OpenID is a platform that “eliminates the need for multiple usernames across different websites, simplifying your online experience.” But by only accepting “secure” OpenID providers, Microsoft has demonstated that this system is by no means unified in its current form. Soon users will need to remember their “secure” OpenID, along with their “normal” credentials. And what happens when another provider comes along with an “uber-secure” ID, forcing users to remember yet another login?

There are a number of companies besides Microsoft that could be criticized for their slow or poor implementation of OpenID - Google, which has become an OpenID provider through its Blogger property, has yet to implement the platform on any of its flagship services. But it seems that the platform itself may be even more deserving of scrutiny. What good is a unified login when its default form will only be accepted on the least private and secure sites?

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

Anybody following Identity/Privacy today is rooting for OpenID. They look like the good guys and they have momentum. However the purchase of Credentica by Microsoft in March was below most people's radar screens. You would need a keen interest in Identity/Privacy and Cryptography to have taken notice, and you're already rooting for OpenID, so why even look at what the Beast of Redmond is doing? This must be an evil plan to suck us all into Hailstorm 2.0, right? Maybe not.

It might be worth giving Microsoft some benefit of doubt for a while. First, my CliffsNotes on why Identity/Privacy matters:

1. To Publishers: You need to show Advertisers/Marketers that your audience/community has some spending power. And you need to personalize the content to make it more useful to your audience/community. You need to do both without giving out any private information that would annoy your audience/community and put them at risk of spammers and bad guys.
2. To Advertisers/Marketers: You need to know whether the people reading/watching/listening to content have budgets to spend money. Without getting any private information that you might just possibly be tempted to use for some nefarious spamming campaign.
3. To Users. There are things about you that you want to shout from the rooftops. And things you want to keep away from the eyes of people who might use it to harm you. But you also need to move around online from site to site without any registration hassle.

That was easy enough to write, but it is much more difficult to deliver. Squaring the privacy vs. personalization circle is hard. That's why nothing has yet hit the spot.

The privacy backlash has predictably got the politicians and regulators into the act. Yet, they might just make it worse. A ham-fisted regulation - most regulation related to technology is ham-fisted - would ruin the business for publishers and advertisers and probably be quite easy for the really bad guys to hack.

On top of that, some governments just love to know what all their citizens are doing and that is not always in the citizens' interests. Would you want your government as the repository of all citizen private data? ... That's what I thought!

So who would you trust? Microsoft? Hmm, they tried that with Hailstorm and had their heads handed to them. Maybe Google? After all they already know all your searches and you have to trust them not to use that to identify anything about you personally. And Google said "don't be evil" and we mostly think they included themselves in that injunction. But who knows, even good guys can be tempted or get bored and let the bad guys take over.

So the answer for most people would be "None Of The Above." Which implies that nothing will happen, the status quo will remain. But that is clearly not ideal. It means that your personal information is scattered across lots of sites, most of which will have relatively weak security, so that hackers can easily get it. Just like they did recently at Facebook.

Ok, lets test that. Who would you trust to store all your private information? Please vote in the poll below.

Who would you trust to store all your private information?
( surveys)

That's why Credentica is important. Look at this 5 minute video to understand the technology. I don't know anything about cryptography, but it appears that the people who do understand it believe that Credentica is technically secure.

So then it is a question of trust. What will Microsoft do with Credentica? Which is a question that nobody has the answer to. Although I am sure many people have opinions -- and feel free to leave them in the comments. Steve Ballmer, what's the deal? What do you have planned?

Quite possibly, Microsoft is still figuring it all out. They do have somebody called Kim Cameron who has been thinking about online identity longer and deeper than most. His bio says:

"Kim Cameron is Chief Architect of Identity in the Connected Systems Division at Microsoft, where he works on the evolution of Active Directory, Federation Services, Identity Lifecycle Manager, CardSpace and Microsoft's other Identity Metasystem products.

Kim joined Microsoft in 1999 when it bought the ZOOMIT Corporation. As VP of Technology at ZOOMIT, he had invented metadirectory technology and built the first shipping product. Before that he led ZOOMIT's development team in producing a range of SMTP, X.400, X.500, and PKI products.

Kim grew up in Canada, attending King's College at Dalhousie University and l'Université de Montréal. He has won a number of industry awards, including Digital Identity World's Innovation Award (2005), Network Computing's Top 25 Technology Drivers Award (1996) and MVP (Most Valuable Player) Award (2005), Network World's 50 Most Powerful People in Networking (2005), Microsoft's Trustworthy Computing Privacy Award (2007) and Silicon.com's Agenda Setters 2007.

Kim blogs at identityblog.com, where he published the Laws of Identity."

He's Canadian, so he can't be evil... and he says he is a "strong proponent of OpenID." (As you can hear/see here.)

So it doesn't look like Microsoft is planning to replace OpenID. Perhaps they just plan to make it secure.

OpenID has the right approach with multiple providers, but as Cameron points out, it is open to abuse by hackers and ID phishers. That is where the OpenID's multiple providers have a branding/trust problem. Out in the wild, who knows the difference between MyVidoop, ClickPass, and EvilPhisher? (I made that last one up).

Credentica had/has a Java SDK. I hope Microsoft keeps this, while also offering a .Net equivalent. For many entrepreneurs the Java vs .Net decision is pretty immaterial, the decision comes down to skill availability. Keeping the Java SDK would increase trust a bit.

Microsoft will have to work hard to forge developer trust in this area. If they can win over developers they have a strong story to tell. The game will shift from just being an ID Provider to offering "secure ID" as a feature of your service. In other words, they will shift this "up the stack," which will be a threat to an ID Provider that plans to use that one feature to build a business, but maybe great for other entrepreneurs.

Spring Security 2.0 has been released after almost two years of development. This new release replaces Acegi Security as the official security module for Spring applications and includes significant enhancements and new features. By Dionysios Synodinos

Updating WP-OpenID to support ID Selector all Posted Wednesday, 30 April 2008 Read 1 comment Today I spent a few minutes modifying the WP-OpenID plugin to support JanRain’s ID Selector. I added OpenID support to billso.com last month. This page has more information about the OpenID signle sign-on (SSO) system. Short story: OpenID lets users log in to a site with an ID they obtained on another web site. There are many different providers of OpenIDs, and many Internet users have not heard of t

If you use open source software then you’ve probably heard about SourceForge before.  If you develop open source software then you’ve probably even used some of their infrastructure in the past.  Today they’ve made it even easier to login to SourceForge with OpenID.  SourgeForge.net isn’t acting as an OpenID Provider but rather is accepting OpenID logins; this is a good thing and reinforces the trend of sites like Ma.gnolia only accepting OpenID logins. In their announcement OpenID on Source

After last week’s post about taking a stand for OpenID, Kelly Guimont suggested a list of offenders; that is, tech blogs that don’t walk the OpenID walk. Here are four big tech blogs that fail, as well as one that’s doing things right: TechCrunch - no OpenID support. I sent a note to @TechCrunch on Twitter and didn’t receive a response. Web Worker Daily - no OpenID support. I asked a question (appropriately enough in a post about OpenID) and received this answer: Aaron, thanks for the sugges