MySpace opens up to OpenID
Those expletive-ridden moments which usually run something along these lines - 'Of course I can't remember my **** password for this service I don't even **** remember registering for - may soon not be quite so shrill.
MySpace, the social networking site, has announced it will support OpenID - a system designed to make it easier to use multiple sites by allowing one login to work for all of them. From this week, MySpace will effectively be able to authenticate its 115 million users to other sites of which they are members.
The announcement promises to provide one of the greatest spurts of momentum yet to OpenID, a groundswell-type project which relies on the backing of large, internet players. Yahoo! signed on in January - bringing the 515-odd million users of its properties into the fold. AOL is the other large supporter.
The system works by first asking the user to log in with one site, known as an OpenID provider. When that user visits other, participating sites, the other sites in effect ask the first site whether the user is who they say they are. If the first site - MySpace, say - provides authorisation, then the person is logged into the second site.
Two significant obstacles remain to OpenID becoming widespread. The first is that the majority of the large players to have joined up have made what you might call tentative commitments to the project by becoming what is known as 'Open ID providers'.
Yahoo! and MySpace have said they will be happy to authenticate their users to other sites when those users try to log into those sites. What they will not allow is for their users to be logged into other sites and for those sites to authenticate Yahoo! or MySpace users to Yahoo! or MySpace. (Still with us?)
That role - where a site effectively hands over the process of authenticating users to another site - is called the 'relying party', and neither MySpace nor Yahoo! have said they will be relying parties. MySpace said it was "committed to working with the open-source community to allow users to widely control their digital identity."
The second - and connected - challenge is security. OpenID has come under criticism from some security experts, who say there is the potential for consumers to be tricked into entering their log-in into a site that is not genuine, as happens in phishing scams.
"The whole thing is fantastically dangerous until you can introduce cryptographic methods which ensure that the whole procedure is not phishable," Ben Laurie, an independent security expert, has said.
Microsoft is developing its own system for universal logins, called Cardspace, which requires a greater degree of information about the user and also employs cryptography, which some experts believe is more safe.
OpenID is a complete bag of spanners - avoid it at all costs. It is by all accounts a phishing supermarket due to the way the protocol works. While there are plenty of providers of the technology, there are fewer users (now rising).
Here's a great list of reasons why OpenID needs to go home: http://idcorner.org/2007/08/22/the-problems-with-openid/.
Cardspace is a little better, but a recent paper has exposed security issues in its protocol http://www.nds.rub.de/gajek/papers/GaScXu08_CardSpaceTR.pdf . It also has some privacy issues: http://bendrath.blogspot.com/2007/05/cardspaces-privacy-problems-now.html.
Exposing these issues is a *good* thing. With any luck future security frameworks will a) work and b) be invisible, unlike today.
Posted by: Rowland Watkins | Jul 24, 2008 3:19:20 AM