Keeping the keys to your OpenID identity using delegation
December 20, 2007 12:20 (Sydney Australia)
Recently I’ve heard criticism of OpenID to the tune of:
I still haven’t heard a decent explanation of why I should trust ClaimID et al with my online identity. :/
If you use OpenID delegation you don’t have to trust your OpenID provider with your online identity. If you look at the source code to this page you’ll see I have the following snippet in the head tag:
<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://toolmantim.myopenid.com" />This allows me to use http://toolmantim.com as my OpenID identifier everywhere. Everytime my web apps needs to authenticate me they will check http://toolmantim.com and go through the delegate to perform the authentication.
If you decide you don’t trust, say, ClaimID anymore or their site goes down (which does happen), you simply update your site template to point to your preferred OpenID provider.
The huge caveat with OpenID delegation is that you’re moving the trust issue onto your own site. Do you trust the security of your own site enough to let it hold the keys to your entire web identity? If somebody manages to change the source code of your site, or poses as your site to a particular web application (aka a man in the middle attack), then they can route the delegation somewhere else and authenticate as you.
Comments
Tim Lucas
Oh and I forgot to mention, another option for super-nerds is to run your own OpenID server, though that comes with the same security caveat above.
topfunky
I’ve done this ever since watching Simon Willison’s video about OpenID.
At the beginning of the year, some servers wouldn’t handle the delegation properly, but I’ve had no problems in the last few months.
As an added bonus, you don’t have to type such a long URL with the subdomain and everything!
Gaurav Kanoongo
but, I want to know consequences of losing an OpenID due to any reason, is there any method to reclaim all my OpenID based accounts?
Wade M
I used to be a big fan of OpenID, but recently I’ve been getting cold feet about it. Other than MITM attacks, there’s DNS attacks, Web Attacks, Network attacks, no forms of encryption. Basically every point, every layer is open to attack here.
There’s a really great article on the security side of it over @ http://www.idcorner.org/?p=161
Peace,
Wade
Tim Lucas
@Guarav: what do you mean by “losing an OpenID”? Losing your password or losing your OpenID service? If your provider goes offline then you lose access to any service which you’ve only used that OpenID as your authentication… but a webapp could provide an email verification link method to update a lost OpenID, just like a lost password.
@Wade: Yeah it certainly has plenty of room for improvement. I wouldn’t rely on it for your net banking, but I do want to use it to force those sort of issues to be addressed.
Wade M
Hi Tim,
Good point about forcing the issue. I do very much so like that it is open/distributed.
I see OpenID being a starting point for something else in the next few years, or OpenID v2 or something. There’s too many issues outside the scope of the application layer to allow OpenID to be fixed in it’s current form. It’s unable to reach down the OSI stack to see all the holes.
v.Good point about it being reliable as long as your not putting your bank on it. Raises the idea of limited liability.
Happy new year.
Peace,
Wade
PS It’d be great if you could add a ‘subscribe to comments’ via e-mail feature like most blogging platforms have these days. A great way to keep conversations flowing. I’d forgotten about this post :/
To comment on this article you must have javascript enabled.