ID-Corner – Page 4 – The Identity Corner

Ditch the Paper, Go Digital

Posted on May 8, 2021April 25, 2021 by 3D

You’re online browsing job boards searching for the perfect employment opportunity. After hours of clicking on different links and reading multiple jobs descriptions and requirements, you finally found the one that you feel is just right for you. From there, you venture to the company website to fill out and submit the application. While completing the form, you notice that there is a section to input your certifications and any other credentials you may have.

However, you know that all of your credentials are still in paper format inside of an envelope somewhere in your office or in a closet. You are now put to the painstaking task of digging out that dusty folder, and scanning each one into your computer, then format them to PDF files in order to upload them to the application form.

Wouldn’t it be so much easier if you were able to keep all of your certifications on a digital platform and keep them with you virtually anywhere? That is essentially what digital credentials are.

Today is Digital

The world we live in today is operated by technology. We practically live in our computers and cell phones. Most people today have a plethora of important documents such as driver’s licenses, passports, college degrees, membership certificates, as well as work-related certifications. Digital credentials give people a way to have digitally based credentials and going paperless. These digital credentials are displayed as badges that dictate the skills, achievements, and certifications behind them. The use of digital credentials or badges are becoming highly recognized by most companies as a way to boast qualifications to clients.

Anonymous Credentials

The digital world can sometimes be an unsafe place with risks of losing all of your personal information to hackers and identity thieves. When it comes to utilizing digital credentials, there is an option to do so anonymously. Users should have the ability to obtain credentials and show properties without revealing any additional information or allow tracking.

The main idea behind anonymous credentials is the use of digital tokens that allows the user to prove certain statements about themselves privately and without leaking any sensitive information. The paper form of most credentials, i.e. passports, driver’s licenses, and medical cards, have sensitive user information on them such as their name, birth date, a photo of them, and their signature. These are types of non-anonymous credentials. Anonymous credentials would include items such as money, a plane ticket, or game tokens because they don’t have any identifying information on them.

Due to the fact that anonymous credentials have no personal identifying information, they can be shared amongst other users without the original issuer of the item being notified. For example, you can buy a plane ticket to Las Vegas and give it to your friend and the airline would be none the wiser. However, if someone uses a credit card that’s in your name, the credit card company may notify you about unknown charges.

Regardless of your stance on the technological advances of today, digital and anonymous credentials are widely developing into today’s society as a standard form of proof of eligibility.

Rivest-Shamir-Adleman (RSA): A Cryptosystem

Posted on April 23, 2021April 18, 2021 by 3D

The RSA cryptosystem is one of the first of many public-key cryptography algorithms that utilizes prime factorization as the one-way function, or otherwise known as the trapdoor one-way function since it deals with fixed public-key functions.

RSA: A History

The RSA cryptosystem was a new concept brought about in 1976 by Whitfield Diffie and Martin Hellman. Along with RSA, Diffie and Hellman also introduced the idea of digital signatures. Their number theory consisted of a shared secret-key formed through the exponentiation of prime numbers. Unfortunately, they could not complete the equation due to the use of one-way functions. Most likely because, at the time, factoring was an arduous process and was not fully studied or practiced. However, for the next year, three men that are known as Ron Rivest, Adi Shamir, and Leonard Adleman, all of whom studied at Massachusetts Institute of Technology, put in a plethora of man hours and made numerous attempts in order to design a one-way function that could not be inverted. In April of 1977, Rivest, Shamir, and Adleman finally completed what is now known as RSA; named so as a tip-of-the-hat to its creators.

In September of 1983, MIT was granted the patent for “Cryptographic communications system and method”, which utilized the RSA algorithm. The patent was only issued for a 17-year use which meant that it would expire in September of 2000. However, MIT released the algorithm for public use two weeks before the expiration of the patent. Since the algorithm was made public, it was granted a U. S. patent. Otherwise, obtaining a patent would not have been doable.

How does RSA work?

The RSA cryptosystem requires four different processes: key generation, key distribution, encryption, and decryption. When speaking of key generation, that is when public and private keys involved. The public key is mostly used for encrypting messages and confidential information and be used by anyone. The private key is, in a way, the skeleton key that can decrypt those messages if done so within a certain amount of time. There is a formula that is used in order to generate the public and private key codes.

Key distribution is sort of like file sharing with a password. To send someone an encrypted message, you need their public key, so they would have to send it to you in order to encrypt a message to send back. Upon receiving the encrypted message, you would then use your private key to decrypt it and read the message. RSA is fairly simple to understand once you remove the mathematical functions from it.

When using RSA to send encrypted messages, you want to be sure that the person you’re sending and receiving messages with is who they say they are. For this reason, there is what’s known as “signing messages.” Since anyone can use your public key, RSA can be utilized to confirm the source of the encryption by “signing” it with your private key. This allows the sender to know that the message was, in fact, from the person of interest.

To conclude, RSA is one of the simplest forms of cryptosystems that can be learned and used by anyone. Most computer programmers learn it while they are in school, and some people are self-taught. If cryptosystems are something that intrigues you, then you might want to try your hand at RSA coding.

Chatbots: The Future of Communication

Posted on July 11, 2016April 25, 2021 by 3D

What is a Chat Bot?

A chat bot is a computer program or a service that is made to interact with you. It may help you by answering important questions or you may just use for fun. Chat bots replicate conversing with a person and imitate a person’s behavior by hearing or writing, mainly on the internet. Chat bots are very useful for everyday tasks and have a big and promising future in the online world in many different fields.

The Future of Chat Bots – A Bot That Helps You Decide What to Buy

Micheal Mauldin created the first verbot, named Julia, in 1994. This was a chatterbot programm for Windows and an Artificial Intelligence Software Development Kit (SDK). Since then, the chatterbot programs and different technologies of natural language processing (NLP) have experienced rapid growth and further development.

Imagine if you could have your own individual shopper to help you pick out clothes. You tell them your skin tone, what type of skin you have, your measurements, and they do the rest. With this information, the bot will tell you what type of clothes are best suited for your body, where you may purchase them, and even gives you some kind words.

The start-up “Spring”, founded by David and Alan Tisch, uses one of the first assistant for your individual shopping experience provided by a new API from Facebook. Kik has developed a “bot shop” for chat bots working together with H&M, Sephora and others.

The Sympathetic Sports Bot

If your favorite player has played their last game or your favorite team lost a game, the sports bot is there for you. They lend a sympathetic ear when your friends are picking on you. Along with the latest game score, they will tell you about the world of sports around the world.

One example is the “theScore”, working via the Facebook messenger, which aloows users to get sport news as quick as possible such as new scores of their favorite teams.

A Boyfriend or Girlfriend Bot

Are you unlucky in love? Do you need daily compliments and reassurance? Chat bots may will provide meeting all your needs in the love area, most of them anyway. Chatbots created by “chatbot4u” or “Love Droids” or the “Mitsuku bot” can communicate with you and say something good about you every hour. Some will give you heartfelt messages to wake up to, and even feel bad if you happen to go on an actual date. You can tell them all of your thoughts and feelings as you are basically “dating” a real person – except they are only digital and virtual. If you do happen to find a real relationship, be prepared to really break up with this kind of bot.

The Einstein Bot That Knows “Everything”

This bot, called “iEinstein” or only “Einstein bot” knows everything from e = m x c2 to how humpback whales migrate. This kind of chat bots you find on Facebook, Twitter and other sites, and was, for example, developed by Thunder Walk Productions. This special bot was created for education and intelligent communication in 2006 and uses Artificial Intelligence Markup Language (AIML).

If people could have their cellular phones with them during exams, many more would pass their classes. If you need to know something, but do not want to be embarrassed by asking someone younger than you, then the Einstein is just for you. You will have a plethora of information to share with your friends and family members.

The Doctor is in

After you put your symptoms in a search engine and it comes up with a terminal illness, the “family physician bot” is there for you. Medical artificial intelligence (MAI) connects chat bot’s features with medical knowledge, such as “HealthTap”, a health bot working via the Facebook messenger. It gives you medical advice and can even tell you what medicines to take.

But, you still have to be cautious with the information you receive because its always better to consult a doctor if you have contracted some serious illness.

There is an upside since medical professionals from all around the globe help provide the information available on this bot. Therefore, dealing with diseases from the common cold is just a click away. Though, there is no guarantee that this bot will provide great bedside manner.

A Bot That Helps Balance Your Budget

Are you having trouble balancing your budget? Is there too much month left at the end of the money? Do you want to know your bank balance without ever having to go to the bank? The “Finance bot”, such as “Abe”, can help you with that and a lot more. These chat bots will guide you through the world of finances and give you tips about anything that is related to money.

Some topics that this kind of bots helps with are the following: investing your savings in the housing market or determining whether you have enough money to purchase a new car. These bots also explain all the difficult financial terms that leave many people frustrated and that helps you before you participate in a large purchase. For everything that has to do with any financial subject, the “Finance bot” will be your new best friend.

These chat bots, along with many others to come, are the future of chat bots. Some patience and time will give technology the opportunity to meet our individual needs and wants even more better. At some point in the near or distant future, dates and doctors will just be a click away. It may be a good or a bad thing, but it will never ever be dull. We just have to be patient and wait for these chat bots that we need and want.

Whether you need medical care, help with shopping, someone to talk to, a virtual boyfriend or girlfriend, or someone to help you perform tasks for your business or to meet your individual work needs, chat bots can help you meet some of these needs effectually.

Virtual Assistants Are a Big Part of the Future Communication

Posted on July 11, 2016April 25, 2021 by 3D

Virtual Assistants (VA) are also a big part of the future of communication. A virtual assistant is an administrative, personal or creative assistant who works for themselve, often at home, for probably, many different clients. In this day and age, virtual assistants are very important to busy professionals because they make everyday business easier and can save time.

Why Virtual Assistants Are an Asset

Some people do wonder how virtual assistants make any money. There are a lot of reasons why an individual would rather employ a virtual assistant instead of a regular, full time administrative assistant.

The main reasons are that virtual assistants are hired to help businesses meet their needs and help them save money. Having a full-time administrative is very expensive, especially when a business only needs a person temporarily or on a project-by-project basis. A regular administrative assistant can cost a company anywhere from thirty-five thousand to fifty-thousand a year. That is a lot of money to pay a person when someone is needed just on a temporary basis.

A virtual assistant can also work for more than one company or person at a time. Therefore, they can be employed for only the hours or job that they are needed for whenever a business needs them. They can often work extra hours when the need arises.

Depending on the terms of the contract a business or person has with their virtual assistant, they can temporarily terminate their services if they are having financial issues. There are many tasks that a virtual assistant does in their daily work.

The Variety of Tasks a Virtual Assistant Does

There are many different jobs that a virtual assistant can do dependent on its skills. Some may do more logistic and scheduling tasks, while others do internet-based jobs like operating e-mail accounts, doing research, or keeping social media accounts active.

Other jobs that they may do are: manage blogs, send out e-mail newsletters, put voice memos, conference calls, and more in written form. They also can operate a business calendar, plan travels, do research, work with vendors, order items that are needed for the business, and transform data into well-thought out spreadsheets.

Some other jobs that they can do are: any jobs that take a lot of time or are repetitive, help companies hire other staff members by finding out information about potential employees, write and give out regular business communications, create presentations, and manage social media accounts.

These are just some of the jobs that virtual assistants can do. To list them all, would virtually take forever. There are certain tips to consider when hiring a virtual assistant for a business or individual.

Virtual Assistants Should Meet Your Special Needs

Every virtual assistant can basically do the same jobs or tasks. However, like any person, each one of them has its own individual talents. A person who wants to buy a virtual assistant has to look for one that will meet its special needs.

An example of this is that many virtual assistants can write press releases. But, it is a good idea to hire a virtual assistant which has profounded “knowledge” in writing. A virtual assistant that is good at writing press releases may not be good at other tasks like keeping track of a very busy schedule.

Prior to hiring a virtual assistant, it is a good idea to write down all the jobs that you need to complete to ensure all the work that you need to be done gets done.

There are a lot of platforms where you can find a personal virtual assistant or companies which organize your stuff like an optimal virtual assistant team, such as “zirtual”, “Brickwork India” or “Get Friday”.

In this fast-paced day and age, a lot of companies and individuals cannot have their daily tasks properly completed on a regular basis without the assistance of a virtual assistant.

Virtual assistants are very essential and helpful in this busy day and age when business people and individuals are often on-the-go. They can help people make sure that their everyday tasks are completed.

Microsoft acquires Credentica’s U-prove technology

Posted on March 6, 2008April 25, 2021 by 3D

Microsoft acquires Credentica’s U-prove technology

I am thrilled to announce that Microsoft has acquired Credentica’s U-Prove™ technology, together with all of the underlying patents. Microsoft plans to integrate the technology into Windows Communication Foundation and Windows Cardspace. Check out the blogs of Kim Cameron and Microsoft’s Corporate Privacy Group for more information.

In addition, I and my stellar colleagues Greg Thompson and Christian Paquin have joined Microsoft’s Identity and Access Group. We will be working very closely with Kim Cameron and many other Microsoft experts to bring the technology to market.

I cannot begin to express how incredibly excited I am about this milestone. It marks not only the end of an entrepreneurial journey of fifteen years, but also the start of a tremendously exciting new phase that I have been working towards for a long time. To expound, from the early nineties on the technology has always enjoyed considerable interest from leading industry players, first for electronic cash purposes and later for digital identity and access control purposes. Throughout these years I ignored acquisition offers, primarily out of concern that the technology would end up in the dustbin. There were good reasons to believe this would be a likely outcome: user-centric identity was not on anyone’s business agenda, multi-party security was deemed overkill even for military applications, and privacy-by-design was merely an academic pursuit. And so I decided to enter into business arrangements with much smaller companies and investment units whose interests were strategically aligned with mine. I also ignored venture capital, in spite of strong interest from investors; the lack of a convincing business model would likely have forced shareholders down a painful path, along the lines of what happened at two of my former licensees.

This time around, things are different – very different. For starters, the market needs in identity and access management have evolved to a point where technologies for multi-party security and privacy can address real pains. Secondly, there is no industry player around that I believe in as much as Microsoft with regard to its commitment to build security and privacy into IT systems and applications. Add to that Microsoft’s strong presence in many of the target markets for identity and access management, its brain trust, and the fact that Microsoft can influence both the client and server side of applications like no industry player can, and it is easy to see why this is a perfect match.

Now that this acquisition has been completed, I will be blogging much more frequently again than I have in the past year. Among others, I look forward to sharing information on this blog about Microsoft’s plans for the technology as they unfold.

In the meantime, for those who are new to this blog and wonder what the acquisition is about, I recommend that you check out the educational materials on the Credentica web site, which we have turned into an information site. A good starting point is the flash demo.

Possibly related posts: (automatically generated)

The Problem(s) with OpenID

Posted on August 22, 2007July 11, 2016 by 3D

On occasion, my colleagues and I are asked whether Credentica is working to ensure that our innovative technology for user-centric identity management will work with OpenID. My short answer – “No” – is sometimes followed by the question “Why not?” Let me explain.

OpenID was designed as a lightweight solution for “trivial” use cases in identity management: its primary goal is to enable Internet surfers to replace self-generated usernames and passwords by a single login credential, without needing more than their browser. Concretely, OpenID aims to enable individuals to post blog comments and log into social networking sites without having to remember multiple passwords. (Of course, local password store utilities already do that; more on this later.)

Beyond this, OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.” Many smart people have already elaborated on these problems in various forums. In the rest of this post I will be quoting from and pointing to their critiques.

SECURITY PROBLEMS

Let’s start with the security problems of OpenID.

As Ben Laurie in a piece called “OpenId: Phishing Heaven” notes: “The OpenID people [have] defined a standard that has to be the worst I’ve ever seen from a phishing point of view. […] I just persuade you to go anywhere at all, say my lovely site of kitten photos, and get you to log in using your OpenID. Following the protocol, I find out where your provider is (i.e. the site you log in to to prove you really own that OpenID), but instead of sending you there (because, yes, OpenID works by having the site you’re logging in to send you to your provider) I send you to my fake provider, which then just proxies the real provider, stealing your login as it does. I don’t have to persuade you that I’m anything special, just someone who wants you to use OpenID, as the designers hope will become commonplace, and I don’t have to know your provider in advance. So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.“

Kim Cameron explains the phishing attack in greater detail and notes: “The problem here is that redirection to the home site is under the control of the evil party, and the user gives that party enough information to sink her. Further, the whole process can be fully automated.” Elsewhere, Kim points out “think of what we unleash with OpenID… It’s way easier for the evil site to scoop the skin of a user’s OpenID service because – are you ready? – the user helps out by entering her honeypot’s URL! By playing back her OpenID skin the evil site can trick the user into revealing her creds. But these are magic creds, the keys to her whole kingdom!“

Marco Slot in his “Beginner’s guide to OpenID phishing” demonstrates the phishing problem by providing code samples. Quoting: “There’s a new phish in town and it is big and easy to catch. A single OpenID may be used for hundres of websites. This alone makes OpenID more vulnerable as losing one password means you’ve lost them all. Moreover, each of those OpenID enabled websites is able to trick the user into giving away her password. […] Would your grandma notice http://f5888d0b1.07e1c41c97a.be/a15 is not her real openid provider?” Marc also explains why naïve attempts to solve this (such as using cookies, identifying users by their IP address, bookmark login, and displaying personal icons) do not work.

Eugene and Vladimir Tsyrklevich in a recent Black Hat presentation furthermore point out that “the phishing attack can also be carried out by the host that the site consults to retrieve the URL of the identity provider.“

On a note related to phishing, Kim Cameron says: “How do I know I am looking at his web page or talking to his identity provider? By calling them up on DNS. […] OpenID is as strong, and as weak, as DNS. In other words, it is great for transactions that won’t attract criminal attack, and terrible for those that will.” Similarly, Tim Anderson remarks: “The whole OpenID structure hinges on the URL routing to the correct machine on the Internet. In other words, DNS. Now do some research on DNS poisoning. Scary.“

Then there are various browser vulnerability exploits that could have devastating consequences (not just with regard to phishing) if one were to rely on OpenID for anything beyond trivial uses with no real value at stake. Quoting Petko D. Petkov: “Cross-site scripting, also known as XSS, […] works in situations in which attackers need to circumvent the browser security settings […] to get access to unauthorized data using the browser as a proxy. […] Cross-site scripting is an injection attack in which attackers supply malicious code as part of a GET or POST request. It is sent to the attacked application and is then rendered as part of the remotely delivered HTML page. This attack is perfect for stealing session identifiers or creating massive worm outbreaks […] if [users] happen to visit a malicious website that contains an exploit of cross-site scripting vulnerability found on a page from the identity provider origin that is used by the user, attackers could inject malicious code within that scope and hijack the user’s online identity.[…] there are [other] threats such as the cross-site request forgery (CSRF), which is an attack vector that also abuses the browser’s same origin policies, but without the need to inject malicious code within the attacked website context. CSRF attacks perform blind GET or POST requests to resources that are not protected by unique tokens. Since the browser is configured to supply the necessary information, such as browser cookies and other settings to every request, attackers can perform actions on behalf of the user. In this case, if the user is logged into the identity provider and visits a malicious page that executes a CSRF attack that causes a password reset, for example, attackers can hijack the user’s identity again.“

On a similar note, Tom Allen Allen Tom in “What’s broken in OpenID 2.0″ says: “[A phishing site can] spoof the realm using an open redirect server or by exploiting an XSS flaw on a trusted domain means that neither the user nor the OP knows what site that the user is signing into. This leaves users vulnerable to being phished on the RP site because OPs, including AOL and MyOpenID, use the realm and return_to parameters to assert the identity of the RP to the user before redirecting the user back to the RP. For example, it’s pretty trivial for a phishing site to get the AOL or MyOpenID OPs to tell the user that they’re signing into *.aol.com, *.microsoft.com, or *.go.com by exploiting redirect servers or XSS flaws on these trusted domains. […] Redirect servers, open reverse proxies, XSS flaws, and the like are widely known and eagerly circulated within certain communities, and without a doubt these bozos would be cranking out millions of SPIMs and SPAMS every hour if OpenID were to gain any traction in the mainstream.“

It does not stop here. Alex Kuza says: “[There is a] feature to set a site to be able to accept your credentials without you having to enter your OpenID password, and since your OpenID provider does not provide these details to the host, they do. Of course, you still need to be logged into your OpenID provider, but since you’re meant to be using this login for several sites, its not too much of a stretch to believe that you’re going to be logged in all the time you’re online – which is quite a large time frame. […] This means that an attacker can log you into any site you decided to trust via CSRF attacks because the site cannot tell if you’ve entered a password. Now this might not seem important, but it is very important for both large and targeted attacks because the user no longer needs to be logged into the service you want to attack, but merely logged into the central service. Even worse, this fact is completely misrepresented to users. […] Another insecure ‘feature’ is the lack of need to enter a password to register for a site. Out of […] 3 OpenID vendors, only [one] asked users for a password when registering for a site, the other two had only CSRF protections. This is admittedly not particularly serious because you still need an XSS (or similar) flaw in the OpenID provider’s site before you can take advantage of the design idea, but it is rather worrying that people designing secure systems don’t seem to want to implement defence in depth.“

As an example, the Tsyrklevich brothers at the recent Black Hat conference showed how using OpenID for online banking would allow attackers to wire money to their own account using a simple cross-site request forgery attack. They also provided simple sample code for several hijacking, spoofing, and phishing attacks.In sum, OpenID adds up to little more than simple password management with extra overhead and lots of security problems. As Marc Canter stresses: “if we’re to stop phishing, and spoofing and ID theft – we need severe crypto, locked down, secure ID systems.” Ben Laurie elaborates as follows: “The OpenID fanboys want OpenID to work on any old platform using only standard software, and so therefore are doomed to live in the world of broken authentication. This is fine if what you protect with your OpenID is worthless, but it seems clear that these types of protocol are going to be used to authenticate for things of value. […] This is the root of the problem: if you want to protect anything of value, you have to do better than existing Web solutions. You need better client-side software. […] the best general way to handle this problem is through zero-knowledge proofs.” (Note: this is exactly what Credentica’s technology does.)

PRIVACY PROBLEMS

Second, OpenID suffers from fundamental privacy problems.

For starters, Tom Allen in “What’s broken in OpenID 2.0″ points out the following privacy problem: “In order to free up desirable userids, many large OPs recycle userids belonging to inactive accounts. If an OpenID is recycled, the new owner will be able to access the previous owner’s data if the RP is not aware that the OpenID has changed ownership. This is a very problematic issue for mainstream OPs. For example, if someone (unknowningly) uses a recycled OpenID to sign into Zooomr, the user may see the previous owner’s private photos.“

Secondly, as Jan Miksovsky notes, OpenID’s claim on their site that “OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do—with a URI” sounds “dehumanizing and more than a little bit frightening.“

These issues may not be of grave concern to many users. There is, however, a much more fundamental privacy problem with OpenID. In the words of Ralph Bendrath : “I have looked into it a bit closer now, and I just can say it sucks. […] Your identity provider is able to track all websites you log into. They even tell you it’s a feature. User profiling made easy! […] You have a unique identifier (your OpenID uri) for all relying parties, so you can’t choose between different cards or identities for different sites. Cross-sites profiling made easy! […] The latter of course can be worked around if you use many different IDs. But then you run into the usability problems that OpenID was meant to overcome in the first place – having to remember several logins, passwords and so on.“

As a blog commentor puts it: “Is nobody of you guys concerned about the openid tracking capabilities? Who would wanna sign up with openid and let them know what websites you visit on a daily basis?” The Tsyrklevich brothers sum it up as follows: “the IdP can spy on the user’s activity on the Internet as it is a central clearing place for all of the user’s logins.” Or, in the words of a blog poster with the pseudonym Mordaxus, OpenID is “a huge boon for anyone who wants to start tracking on the web. […] if you want to steal from people or invade their privacy, OpenID is for you.“

In a piece called “Why OpenID is going to destroy the Internet”, Ilya Lichtenstein says: “I’m not the paranoid conspiracy-theorist type, but even I am terrified of what could happen if all of our actions on the Internet could be tracked to a single identity. Imagine Big Brother coming across an offensive post you made on an anti-government website, and then tracking you through every book you bought, every comment you made, every song you listened to. Don’t say that this is already possible with an IP address- it takes a court order to get a name from an IP address, but your creepy neighbor could easily stalk you from your OpenID. […] Anonymity is one of the strengths of the Internet that allows for so much free expression- without it, the Internet loses one of its key strengths. […] Imagine a key logger or trojan compromising your OpenID password because you logged in from an insecure public computer. Now, the hacker controls every element of your digital life- so much for using different passwords on different sites for security. Imagine an OpenID server being compromised- there go thousands of identities, full complete identities compromised with ease. OpenID would be a ripe target for hackers. […] And, finally imagine what OpenID promises- all of your online identities, connected and unified. Do you really want that?“

Clearly, if OpenID were to be considered uses on a grander scale, the privacy implications would be enormous. As the author of a blog post titled “OpenID: A great thing… going amok?” puts it: “More than anything else, privacy and free will would be my biggest concerns. […] What I don’t like is being assigned an OpenID (or anything else for that matter). […] Personally, I was a bit peeved when WordPress turned this blog into an OpenID without ever asking me. […] Now, let’s take that to another level: an entire nation requiring citizens to use OpenID. The thought sets butterflies on a wild ride through my belly.“

So much for privacy. Credentica’s technology, in contrast, provides ultra-strong privacy guarantees that are provided by design. These features, as do our multi-party security features, require more client-side intelligence than today’s standard Web browser. Even if OpenID were to embrace such client-side intelligence, however, its simplistic URL architecture would be fundamentally incompatible with privacy features such as untraceability, unlinkability, authenticated anonymity and pseudonymity, and minimal disclosure.

TRUST PROBLEMS

Third, there is the OpenID issue of trust (or rather, the lack thereof). The old OpenID site was quite explicit in this regard: “ What about trust? This is not a trust system. Trust requires identity first.” As the author of a piece titled “The OpenID Farce” objects: “Ummm, no. Actually, Identity requires trust first. Identity without trust is meaningless. […] OpenID is Yet Another Identity Transport System… without trust. […] an identity/trust system needs to convey that “‘This is Steve’ and I’ll back that up with $XX if I’m wrong” or “‘This is Steve’ by the authority of the State of California with all of the rights and responsibilities thereof”. […] If you can’t make that promise, don’t talk to my about ID.” Or, in Jeremy Schoemaker’s words: “There’s nothing stopping a fake Mark Cuban from creating a fake OpenID, or worse, a fake identity provider.“

Even for the trivial use cases that OpenID is used for today, this poses a major problem if OpenID were to gain in popularity. By way of example, a commentor at Slashdot notes: “Once this system is widely used, and spammers begin to register OpenIDs in huge numbers, how will site owners prevent spammy registrations? […] Blindly trusting OpenIDs and allowing them into a site, or giving them posting rights would be crazy. […] If [this problem] it isn’t solved we have a one-stop-shop for spammer IDs.“

USABILITY PROBLEMS

Fourth, OpenID suffers from usability problems.

Neil Cauldwell in a piece titled “OpenID is too complicated” says: “I can log-in to any OpenID friendly site just by typing in ‘NeilCauldwell.com’. But do I ever use it? […] I’m already signed-up with all the services I use on a regular basis, and have a password manager that handles the usernames. In it’s current state, OpenID isn’t going to do much for me […] Why sign-up to OpenID when your favourite sites are bookmarked by the browser, and authenticated by a password manager? […] Even if they have an OpenID, [users] still need to create and fill-out a unique profile within each service they use. This means OpenID creates a double login procedure. As we already know, once is bad enough.“

Jan Miksovsky notes: “The process of selecting an OpenID provider will stump the average consumer. […] Why would a site operator let anyone leave their site to perform a task from which they will never return? […] Currently, even those sites that do implement OpenID generally treat OpenIDs as a second-class form of identification. They put their own proprietary means of signing in (generally with a user name and password) on their home page, and bury the OpenID sign in facility behind a link. […] And all this is for—what, exactly? To save me from having to pick a user name and password? [….] I can’t imagine a sane business operator forcing their precious visitors through this gauntlet of user experience issues just for the marginal benefits that accrue to a shared form of ID. […] there’s no business of any size that can afford to direct their traffic down a dead end.“

ADOPTION PROBLEMS

Fifth, while lots of organizations are jumping in to become OpenID providers, there are virtually no OpenID consumers.

Dana Epp writes: “I could care LESS if Six Apart or Technorati can be an OpenID provider. I don’t particularly have a lot of care or trust in them. I want these sites to trust MY provider… which in this case is my own corporate authentication server. […] I think that is getting lost with all these players.“

Nik Cubrilovic in a piece titled “OpenID: Too many providers, not enough consumers” writes: “There have been a spate of announcements recently with a number of companies both large and small announcing that their products will ’support’ OpenID. […] All these OpenID support announcements and I am not getting anywhere with my OpenID. [….] it seems that while we have plenty of companies wanting to step up us providers (easy) and have their users use their OpenID’s with other applications, we don’t have enough companies stepping up as consumers of OpenID. […] it seems that OpenID is flavor of the month and everybody is jumping on for the ride (I could post ‘Burger King Supports OpenID’ and it would make the frontpage of digg). […] It seems that most of the justification for the big companies and other apps not wanting to be providers is so that they can protect their customer base and maintain a hold.“

Microsoft’s Dare Obasanjo points out that this reluctance to become an OpenID consumer may well be a fundamental problem: “When you look at the long list of Open ID providers, you may be notice that there is no similar long list of sites that accept OpenID credentials. In fact, there is no such list of sites readily available because the number of them is an embarassing fraction of the number of sites that act as Open ID providers. Why this discrepancy? If you look around, you’ll notice that the major online services […] all provide ways for third party sites to accept user credentials from their sites. This increases the value of having an account on these services [which] increases the likelihood that I’ll get an account with the service which makes it more likely that I’ll be a regular user of the service which means $$$. On the other hand, accepting OpenIDs does the exact opposite. It actually reduces the incentive to create an account on the site which reduces the likelihood I’ll be a regular user of the site and less $$$.“

Last, but not least, becoming an OpenID consumer means that another site (potentially a competitor, now or in the future) learns in real time which person is visiting at what time – potentially very valuable competitive information.

IMPERSONATION PROBLEMS [this section added on June 3, 2008]

As a consequence of the fact that an OpenID provider sees in real time which sites you log into, it also has the capability to log into any of these sites as “you”, possibly without you ever being able to find out. This is particularly problematic in cases of sites that would give access to personal account information following login via OpenID. Do you really want to give that much power to insiders at OpenID providers? Keep in mind that an “insider” may not just be unscrupulous management, but also a rogue employee, a virus, or a hacker with the proper privileges. [end of addition made June 3, 2008]

AVAILABILITY PROBLEMS

Still another concern is pointed out by the author of a blog called Internet Duct Tape: “The decentralization that is openID’s strength is also it’s biggest weakness. If your openID server goes down then you’re locked out of *all* of your other web accounts that used that login. […] In order to login to a web app with openID the web app needs to be working AND my openID server needs be working. The greater number of interconnecting parts decreases my chances of getting everything to work together much more than the benefit of not having to manage multiple user accounts. […] if you use someone else’s openID server then you’re screwed.“

PATENT PROBLEMS

What all of the above points at is that OpenID is lots of pain with little (if any…) gain. If that is not enough reason for concern, then perhaps the following issue is. This particular concern relates to OpenID’s claim that it is an “open, decentralized, free framework for user-centric digital identity:“

The issue here is not so much the one that Neil Cauldwell points out: “If [users] sign-up to a service that only supports OpenID’s from certain servers, OpenID isn’t even open. At least with a proprietary sign-in process you be under no illusions that the username you created with service ‘x’ would work with service ‘y’. But if the big players decide to mess about with server authentification, your OpenID may or may not work at another site. This is where it becomes a complete mess.

No, the real issue is that various parties have made claims that OpenID is covered by their patents. One patent is mentioned at the Wikipedia page on OpenID, which mentions a pending USPTO patent application with PCT priority from Denmark of March 9 2001 that “covers the central aspects of OpenID.“

Other patents may apply as well. Jeff Bohren says, “Dave Kearns […] talks about the patents that Sxip Identity has applied for which appear to cover OpenID. He relates that Dick Hardt assured him that Sxip Identity will be issuing non-assertion statements on OpenID soon. Of course I find it odd that a company would spend the time, effort, and money to pursue IP that they already don’t intend to enforce. […] the Sxip Patent Applications so far made public include […] these.“

Chuck Mortimore, who used direct SXIP’s engineering efforts, states “I think its a gross mis-representation of the truth to say OpenId was based upon SXIP,” but that is not necessarily an indication that the SXIP patents do not cover OpenID.

Even if one were to take the position that the abovementioned patents are pre-dated by tons of prior art and/or are “obvious to those of ordinary skill in the art,” that may hardly be reassuring for sites that establish themselves as OpenID providers or consumers – they risk being presented at any time in the future with litigation threat for patent infringement. The “pledges” made by various players involved in OpenID that they will not sue for patent infringement do not prevent certain litigation scenarios from becoming a reality.

CONCLUSION

So, there you have it – why we’re not working to ensure that our technology works with OpenID: there are simply irreconcilable differences between the two. Now, mind you, it IS possible to do a drastic overhaul of OpenID so that it will be possible to provide multi-party security and privacy. Doing so would amount in essence to discarding most of the OpenID work, keeping only the notion that in some cases it might be useful for individuals to facilitate “identity provider discovery” by providing a URL. The reality is that at such a point we’re not talking about an improved OpenID system anymore, as the use of a URL for IdP discovery would pretty much all that would remain.

Possibly related posts: (automatically generated)