cheap cialis pill
certified cialis
cheap viagra in canada
cialis buy drug
buy generic cialis
viagra buy
25mg viagra
cheap viagra without prescription
buy cheapest viagra on line
purchase viagra
cialis 10mg
buying generic viagra
cialis pills
viagra from india
cheapest sildenafil citrate
cheap cialis no rx
viagra india
cialis bangkok
viagra for order
buy sildenafil internet
buy generic viagra online
buying cialis online
where to order cialis
tablet cialis
find cialis no prescription required
viagra cheap drug
order cialis cheap online
online pharmacy cialis
cialis no rx
order generic cialis
price of cialis
viagra soft
drug viagra
cheap viagra from uk
order cialis no prescription
order cheap viagra
viagra drug
order cheap cialis
cheap cialis pharmacy
best price for viagra
cheap viagra from usa
cost cialis
cialis overnight shipping
cheapest generic cialis online
generic viagra online
online viagra
viagra sales
cheap cialis in canada
compare cialis prices online
cialis online
drug viagra online purchase
discount cialis without prescription
no rx viagra
cialis overnight
viagra uk
cialis order
cheap cialis from usa
buying cialis
cialis overnight delivery
cialis in bangkok
buy and purchase sildenafil online
impotence treatment
cheap price viagra
viagra sale
cheap cialis tablet
drug cialis
generic cialis online
cheap viagra pharmacy
find discount cialis online
viagra malaysia
cialis without a prescription
buy cialis online cheap
viagra rx
buy no rx viagra
cialis 20mg
viagra in malaysia
discount viagra online
buy sildenafil cheap
buy viagra low price
buy cialis
cialis
cheap price cialis
cheap generic viagra
cialis canada
low cost viagra
buy cheap viagra
cialis vs viagra
order cialis from us
cialis tablets
find no rx cialis
buy generic cialis online
buy viagra overnight delivery
cheapest cialis price
buy cheapest cialis on line
order cialis in canada
viagra tablet
viagra no online prescription
find cheap cialis online
viagra price
order viagra no prescription
cheap generic cialis
buy viagra online cheap
cialis uk
cialis without rx
generic cialis cheap
viagra vs cialis
order cialis on internet
viagra tablets
viagra purchase
impotence drugs
buy cialis generic
cialis tablet
cialis cheapest price
order viagra from canada
viagra generic
cheap viagra from canada
order cialis
compare viagra prices online
find cheap cialis
impotence cure
pfizer viagra
find discount cialis
cheapest cialis
buy cialis from india
impotence
buy cheapest viagra online
cialis side effects
viagra order
discount cialis online
cialis in malaysia
cialis in uk
viagra in uk
cialis online without prescription
cialis online pharmacy
order viagra
buy viagra online
viagra side effects
cialis sale
discount cialis no rx
cheapest viagra
find cialis
order cialis no rx
buy cialis low price
buy viagra cheap
drug cialis online purchase
order discount viagra online
50 mg viagra
100 mg viagra
10mg cialis
cost of cialis
cheapest cialis prices
buy discount viagra online
cialis sales
50mg viagra
cialis price
buy viagra on internet
cialis pill
cheapest cialis online
purchase viagra overnight delivery
cheap cialis from canada
cheapest viagra price
cialis 20 mg
buy sildenafil low cost
order viagra without prescription
buy viagra lowest price
no prescription cialis
order viagra on internet
discount cialis overnight delivery
cialis cheap drug
viagra approved
viagra no rx required
compare viagra prices
no rx cialis
cheap cialis on internet
buy viagra from india
buy discount cialis online
viagra pharmacy online
order viagra from us
cialis free delivery
cialis for order
buy cialis from canada
viagra without rx
viagra online review
10 mg cialis
cheap viagra no rx
cheapest viagra prices
viagra prices
cialis pharmacy
order no rx cialis
buy cialis in us
buy cialis no prescription required
order cialis from canada
lowest price cialis
cheap cialis internet
online pharmacy viagra
cheapest generic cialis
generic drugs
cialis india
find cialis without prescription
best price cialis
buy viagra without prescription
cheap cialis in uk
where to buy viagra
20 mg cialis
cheap cialis from uk
buy sildenafil canada
cialis no rx required
cialis in us
buy cialis overnight delivery
cialis cheap price
order cheap viagra online
20mg cialis
buy cheap viagra online
viagra internet
viagra without prescription
free cialis
buy cialis us
cialis buy
buy viagra in canada
order viagra cheap online
find viagra without prescription
viagra pills
cheap cialis no prescription
viagra online without prescription
order generic viagra
cialis discount
viagra cheapest price
purchase viagra no rx
viagra no rx
viagra cheap
discount viagra overnight delivery
sale cialis
cialis pharmacy online
purchase cialis without prescription
pharmacy online
cialis medication
discount viagra
buy cheap cialis
impotence medication
viagra medication
find cialis on internet
impotence pills
cialis prices
discount viagra without prescription
cialis online cheap
cialis online review
find cheap viagra online
buy viagra us
purchase cialis online
certified viagra
where to order viagra
buy cheapest viagra
buy cialis internet
order cialis online
buy sildenafil online
buy cialis cheap
cheap viagra
purchase cialis
find discount viagra
buy cialis on internet
cialis buy online
buy sildenafil online without a prescription
viagra buy online
order cheap cialis online
viagra information
no prescription viagra
cost of viagra
buy cialis in canada
buy cialis online
buy viagra
cheapest generic viagra
cialis us
cialis australia
fda approved cialis
lowest price for viagra
viagra bangkok
cialis prescription
cialis cost
buy no rx cialis
buy viagra internet
viagra discount
order viagra overnight delivery
generic cialis
viagra australia
25 mg viagra
order viagra online
viagra overnight
cialis rx
order cialis in us
order viagra no rx
order discount cialis online
viagra vendors
order viagra in us
buy sildenafil in uk
viagra us
buy generic viagra
viagra canada
viagra no prescription
viagra cheap price
cheap viagra tablet
viagra free delivery
overnight viagra
purchase viagra online
find cheap viagra
cialis malaysia
best price viagra
cialis free sample
find viagra on internet
cialis generic
buy sildenafil in canada
order cialis no prescription required
cheapest viagra online
purchase cialis no rx
viagra in us
order discount cialis
cheap viagra internet
free viagra
cialis approved
best price for cialis
cialis from india
find no rx viagra
generic viagra
viagra from canada
viagra online pharmacy
buy viagra from canada
cheapest generic viagra online
buy cheapest cialis
discount cialis
viagra overnight delivery
cialis without prescription
100mg viagra
cialis in australia
price of viagra
order cialis overnight delivery
cheap viagra in uk
buying generic cialis
viagra pill
buy cialis on line
low cost cialis
find discount viagra online
buying viagra
cheap cialis overnight delivery
pharmacy cialis
cheap viagra pill
viagra prescription
find viagra online
buy cialis lowest price
discount viagra no rx
online cialis
viagra free sample
cheap viagra in usa
find viagra
cheap viagra online
buy viagra no rx
generic viagra cheap
buy cialis without prescription
buy viagra in us
cheap viagra overnight delivery
cheap cialis in usa
cheap cialis online
viagra
order no rx viagra
viagra soft tab
find cialis online
lowest price viagra
cialis drug
cialis vendors
viagra online stores
erectile dysfunction
order viagra in canada
buy viagra on line
viagra overnight shipping
viagra online cheap
lowest price for cialis
approved viagra pharmacy
cialis 10 mg
cialis no online prescription
cialis purchase
cialis from canada
order cialis without prescription
viagra for sale
viagra in australia
approved cialis pharmacy
buy viagra generic
buy sildenafil in spain
find viagra no prescription required
cialis no prescription
buy viagra from us
order viagra no prescription required
cost viagra
purchase viagra without prescription
buy cialis no rx
cialis cheap
cialis internet
tablet viagra
cheap viagra on internet
viagra cost
pharmacy viagra
cialis soft tab
cialis information
buy cheap cialis internet
purchase cialis overnight delivery
cheap cialis without prescription
buy viagra no prescription required
compare cialis prices
buy cheap cialis online
overnight cialis
where to buy cialis
cheap cialis
buy cheap viagra internet
buy discount cialis
viagra buy drug
cheap viagra no prescription
buy sildenafil citrate
buying viagra online
buy discount viagra
fda approved viagra
cialis online stores
cheap cialis tablets
buy cheapest cialis online
cheap viagra tablets
order discount viagra
sale viagra
viagra online
cialis for sale
cialis soft
viagra pharmacy
buy cialis from us
viagra without a prescription
viagra in bangkokJason Barnabe of userstyles.org writes in with a few great questions:
I’m interested in learning more about OpenID. Most of the documentation I’ve found online deals with OpenID from a user’s perspective: “OpenID is cool because you don’t have to maintain logins at a bunch of different places.” What about from a webmaster’s point of view (I believe in your terminology, “Consumer”)?
What gets me excited about OpenID is that the value proposition is both for the end-users and for the consuming sites. First, let’s review the user-side of the value proposition:
- Don’t have to remember so many logins; one password, one login
- Portability of user identity (especially if you own the domain you’re delivering your identity from). This gives users better control of their identities.
- Users can associate OpenID’s across multiple sites. For example, today there is no way to determine if one John Smith on site is the same as on another. OpenID will at least make it so you can say you are the same OpenID on each site (now that’s not saying that user is John Smith but more on that below).
And for consumers (aka website operators):
- No more registration form: The OpenID process makes it so the registration screen on sites goes away allowing users to quickly engage in conversations, commerce or feedback.
- Increased stickiness: Users are more likely to come back since they don’t have to remember yet-another-username-and-password combination
- Up-to-date registration information: How many sites have you registered on as ‘asdf’ or filled out bogus information? Probably quite a few. With simple registration in OpenID v1.1, this information is gathered quickly and painlessly (assuming you get the users permission).
I’ve found some documentation and libraries on *how* to implement, but not *why* or in what configuration. For example, I believe I read somewhere that e-commerce type sites that should use OpenID would require the providers to have strong passwords. What are the recommendations for a simple user-generated content site, like mine at userstyles.org? Should all providers be trusted, or could a malicious provider do something really bad?
I did a walk-through of OpenID that explains a little bit of the terminology as well as the flow from the users perspective. Let’s take the example of logging into an e-commerce type site. The user only enters their password on their identity providers’ site. That means the e-commerce site would have no way of knowing what kind of password schemes were in use by just looking at the identity provider. They could figure it out pretty quickly with a manual inspection but there is no flag that tells the consuming site what kind of password strength is required.
If you were to enable OpenID on your site, you would be consuming OpenID’s. If you were also serving OpenID’s you would be producing them. In the latter case you become an identity provider (IdP) that creates OpenID’s for use in the OpenID eco-system. This is an important distinction. For smaller sites, I would recommend just enabling the consumer side; make it so users can login with their OpenID. If you have users wanting to create new OpenID’s then I would suggest partnering with an identity provider that will allow you to send users their way. For example (and this is a shameless plug so treat it as such) we do this for a few sites, the most notable of which is Zooomr. Now there are several other identity providers out there as well that you can use to do this which is great for you as a website operator. The most important part about that is that we’re all doing this stuff everyday. How much time do you really want to spend on “user accounting” on your site anyways? Its the least “main thing” you have to deal with when having a site with logins. You want to focus on photo sharing, social bookmarking or in your case, empowering users to tweak website and application styles.
Now, should all identity providers be trusted? That’s a toughy. There is an interesting discussion going on about this on one of the OpenID mailing lists. The de-centralized nature of OpenID is what makes it so compelling. However, that is also what could lead to bad things like spammers setting up their own IdP’s and then spamming blogs and wikis out of existence (or just making OpenID go away). Solutions like Akismet and captchas help with the comment piece but what we really need is some sort of reputation component that says “yes, this is a valid user tied to this OpenID and not some bad person or bot”. We don’t have it yet and to try and engineer that out today would be nuts; it will happen, it’ll just take some time as we watch and learn how OpenID is used in the real world.
Scott, in your description of password schemes, it sounds as if you are suggesting it’s a strength of OpenID that the SP doesn’t know whether I authenticated to the IDP with a 3 character password or something stronger.
There should/must be a way for the IDP to say how they authenticated the user – the SP might need this info in assessing the relevance of the IDP’s claim to its security requirements.
Paul
What’s to stop a rogue IdP from saying they required a super high security level for their passwords when they didn’t really? Or are you suggesting that we assume we trust the IdP?
Well nothing of course, but that goes back to the issue of trusting an IdP. If you’re going to accept anything from a given IdP, then there must be some level of trust as to the accuracy of that information. Once that trust is established (however that would work), it would be possible to provide something akin to SAML’s AuthnContext element. Of course this makes everything a little bit heavier than perhaps it should be. I’ve always viewed OpenID (perhaps incorrectly?) not as a direct competitor to the various SAML products, but rather as a lighter weight solution when the full weight of SAML isn’t necessary. Given that, even though it may be possible to provide an AuthnContext in OpenID, it might not be a “good thing” in the long run.
The key here is we don’t know how that trust will be established. OpenID has been successful because it made as few assumptions as possible; once we see how users and sites are using this stuff, we can better craft the protocol. The same is true of trust; we’re not sure of the mechanism yet so trying to bake it in yet would be crazy. I’m a firm believer that the market will yield the solution for us.
I completely agree that SAML and OpenID are not competitors. The discussions we’ve been having in the OpenID community have always revolved around ways we could either leverage the work done by the Liberty camp or better yet use some of the solutions directly in the OpenID stack as it starts to mature.
When I look at a protocol for something like this I have to ask “what technology has the best opportunity to evolve with the community that is using it?” OpenID seems to be a pretty good fit with lots of sharp people getting on board and an excellent community forming around its use. I’m hoping we can continue to stay nimble and work with folks in the SAML, Higgins, etc camps. Seems like the right thing to do to me.
“No more registration form: The OpenID process makes it so the registration screen on sites goes away allowing users to quickly engage in conversations, commerce or feedback.”
But what about that site’s existing users? And what about additional information, such as site-specific settings or data, that the consumer requires that’s not provided by the provider?
Wrt SAML 2.0’s Authentication Context, at its lightest, it can be just a URI that the IDP inserts in its Assertions. The SP parses the URI and recognizes the authentication mechanism (and maybe other info as well).
It’s not just for the IDP to use in its assertions, the SP might want to indicate what it expeced/desired when it asked the IDP.
Seems to me that if you want OpenId used for multiple authentication mechs (password, OTP, biometric, whatever), you need ways to express these in the protocols. SAML does it with AC, Cardspace has a different syntax.
Jason: you are prolific with the great questions … :-)
What I’ve seen with most sites is that they actually create a local account that is keyed on the OpenID. This allows the ability to deal with all of the site-specific information quickly and easily while still leveraging OpenID. There is also the concept of attribute exchange coming to OpenID very soon. Think about being able to keep create, manage and update arbitrary attributes tied to your OpenID for use on any site on the Internet. A great example of this would be the ability to register on a Drupal site and get any of the special stuff that a Drupal user needs updated in your OpenID attribute profile. The next Drupal site you go to could then get access to that information (assuming the user wants them to have it).
You’ll find that applications like Drupal, Plone and others use the method of just creating a local account and then keying it off the OpenID.
Another use of simple registration is keeping your local copy of this data up to date… this is what we are trying to get our Shibboleth service providers to do. So a user may login and create an account with an email address X, but next week he changes his email address at his IdP to Y. If you receive his attributes each time he logs in to your application, you can check to see if you have the latest data and update if not.
Of course, there are cases when you might NOT want to update your local data… suppose a user is being hassled by another member in your community, so they change their contact information in your application. You wouldn’t necessarily want to change it right back the next time they log in, now would you? So you definitely need to think through everything, but it has the potential for providing real data provisioning.
The possibilities are endless. The other thought on this would be to notify sites when you change the information at your IdP. So you update your email and instead of having to login to all of your sites your IdP actually sends a note saying “hey, we just updated this user’s email address”. This is a non-trivial thing to do because you have to really trust the IdP.
In the case that you mention; user hassling another user on a specific site. Odds are if they know their OpenID they can hassle them all day long no matter what site they are on. In that case, maybe a using an anonymizer would be a good thing.
More trust is good in some cases and not in others. As in connecting too many dots together and we enter in a privacy issue because of the lost of opacity.
So I would be careful, Open ID is good, but I would encourage to have more than one depending on their online personae.
Paul Madson wrote:
>There should/must be a way for the IDP to say how they authenticated the user – the SP might need this info in assessing the relevance of the IDP’s claim to its security requirements.
Why would it need this info? Who cares? It should be the user’s responsibility not to choose a crappy IdP, just like it should be the user’s responsibility to not post porn pix to the consuming site.
@Forsooth:
There are plenty of use cases in which a Service Provider is concerned about the strength of an Identity Provider’s authentication mechanism. Imagine I’m a banking website and I allow users to login with their OpenID (I’m not sure that I’d recommend that, but just suppose..) I have a real concern with making absolutely sure that the person at the keyboard really is the person who owns a particular bank account. I am the one releasing the data (or allowing access, whatever), so it is ultimately my responsibility to authenticate the user. As a convenience I may delegate this authentication to another party, but in the end it is still my responsibility. Granted, they have a responsibility of choosing a good IdP, but I would also have a liability risk if I release someone’s personal banking data because I didn’t adequately authenticate the user. Requiring a specific level of assurance would alleviate this to a certain degree. (Of course as already mentioned, I’d have to trust the IdP to be honest in how they authenticated the user).
You can’t say the bank would be liable if a user’s security is compromised because of a poor IdP. That’s tantamount to saying the bank would be liable if the user left his password taped to the monitor and his brother logged in and emptied his funds. (of course there are probably no legal precidents yet in this arena but it seems highly unlikely…)
Probably not quite the place to post this comment but we are desperate. We are working on accepting user-centric identities. We plan on accepting OpenId and CardSpace. We have a similar page that whobar provides.
We develop with the JanRain .NET library from openid.org.
You mentioned in this blog OpenId mail forums and I was wondering how to get to them? We are very confused about how we get identity claims from the OpenId token.
There does not appear to be anything in the JanRain that lets you do that. Even WhoBar talks about getting the claims but when we run the code we don’t get anything.
Thanks!
I see your website grabbed some claims so any insight would be much appreciated!
If by “claims” you mean getting the user profile information from the person using OpenID to login to your web site, I just posted on how to do it using JanRain’s assembly on my blog.
Awesome, man