Disruptive Telephony

What is OpenID? What are the security issues around it? Should you trust using it? What do you have to be worried about? What are the main security threats to it?

While I've written about OpenID here, I really wanted to understand more about the security issues around OpenID, so I got together with two other members of the Security Round Table, Michael Santarcangelo and Martin McKeay, to explore the issues around OpenID and security to a far greater degree.

We have shared the resulting conversation as a SRT podcast, and have also published as the show notes the large body of links that we accumulated during our preparation for the show.  I'd encourage you to check out the SRT site purely for the links alone, as I think we pulled together one of the more comprehensive lists of links I've seen related to OpenID.

In the end, the three of us came aware quite impressed with the possibilities of OpenID with regard to the specific piece of the identity puzzle that it is aiming to solve.  We hope this podcast helps people understand both the potential benefits as well as a few potential challenges with regard to security and OpenID.  Comments and feedback are very definitely welcome.

Dean Elwood over at VoIPuser.org has taken up the question about Open ID with his post "Why SIP Doesn't Need OpenID".  Dean suggests that the problem really lies between servers:

The problem of identity authentication actually resides in the server to server realm in a peered environment. How does sip.fwd.com know for sure that a peered call request is really coming from sip.voipuser.org?

Good question... and one that Dean believes can be solved through the use of the already-standardized Open Settlement Protocol (OSP).

The conversation continues...

As I continue to explore OpenID, one of my immediate concerns was... how do I choose an identity provider?  And if I do use an identity provider, what happens if they stop providing OpenID services?  Or what if they are bought by someone and I don't like the new owner?

Essentially - how do I create an "abstraction layer" that allows me to maintain control of my identity and not be beholden to the whims or policies (or circumstances) of a provider?

The answer is amazingly easy... just use your own domain name! As explained by Simon Willison, the process merely involves inserting two lines of code into the header of the HTML page at the URL you want to use.  So, for instance, I updated the page for www.danyork.com (which actually gets pointed to a page in a larger website) to have these two added lines:

<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate" href="http://dyork.livejournal.com/">

That's it.  Now on any website that allows OpenID logins, I simply use the OpenID of "http://www.danyork.com/" and I am briefly redirected to LiveJournal to approve the granting of access to my identity credentials.  Simple and easy.

The beautiful part about this is that I can switch Identity providers any time I like.  I used my LJ account here, but I actually like some of what ClaimID has to offer.  Perhaps I'll use them instead.

The net of it, though, is that it doesn't matter...   to the websites where I login, I login with the danyork.com id and all is good.  Who actually provides the request for the technical OpenID data is a different matter and should be - and is - separate from your actual identity.  Very cool to see... and nice to be able to be in control of my identity!

P.S. And thanks, Simon Willison, for writing up that tutorial... very helpful.

UPDATE: O'Reilly now points over to the post from AOL's John Panzer about this with more details.  It's funny... I read that post yesterday from John, but I don't think the enormity of it sank in until about 5am this morning when I read the post from Fred Stutzman that I reference below.

Wow!  Talk about a major boost for OpenID... continuing my OpenID research, I learned from reading Fred Stutzman (also here) that all 63 million users of AOL Instant Messenger can now use their AIM account for OpenID!  Now, I don't actually use my AIM account all that much these days (my IMs of preference are Skype, Jabber and MSN/WLM)[1], but I had to try it out, so I headed over to stickis.com and logged in using my AIM screen name - as shown in the image to the right.  Simple.  Easy.

Okay, that's fairly cool. My OpenID is simply:

http://openid.aol.com/dyorkottawa

Now the only peculiar thing was that I never saw this screen to grant or deny the access to the site.  The only reason I have this screen capture is because I pressed the Back arrow on my browser because I wanted a screen capture of the login page.  In actual operation, once I was logged into the AOL OpenID page I went directly to the stickis.com page... without actually granting the site access to my OpenID.

Hmmmmmmm...

This happened in Firefox 2, so just to verify the issue, I flipped over to IE7 and tried the same procedure.  Again, I was asked for my AIM password and then... bang... I was logged into the site (without seeing the Grant/Deny screen).  Note that I am not running any AIM client on this PC right now.

Now at the second site I tried this at, schtuff.com (a wiki provider that allows OpenId login), I was prompted to Grant/Deny access... but I was apparently already logged in to AOL's OpenID server.  Of course, I can't figure out how to log out of the AOL "Screen Name Service"... I guess I have to close out all my browser windows.    So given that I can't figure out how to log out, I can't replicate this procedure again (sorry, AOL, but I am not going to exit all my browser windows right now)... so I'd be curious to know if anyone else experiences this.  If you get a OpenID login screen, do you then just go right in?

I'm not sure there is a huge issue... I mean, you are going to the site to login... to a certain degree the Grant/Deny screen seems redundant in this instance.  You still have to go through one screen to allow the relying site access to your ID.  And with subsequent sites it seems to do the right thing and pop up the Grant/Deny screen.  Is the skipping of the initial Grant/Deny screen really a security issue?  (if it turns out to be more than just me?)  I don't know yet...

Anyway, kudos to AOL for OpenID-enabling their system... even if there might still be a few bugs to iron out.

This does raise a larger question, too... who do you use as your ID provider?  There's a long list of OpenID providers, but if you use AOL most of the time for IM, might it not make sense to use them as your OpenID provider?  Or do you want the more granular control provided by some of the others?  Where do you establish your online identity?   It shall be an interesting question to continue to ponder.

[1] My AIM name might give a clue as to why I don't use it as well... I took it out during the 5 years we lived in Ottawa, and, well, I've just never gotten around to getting a new one now that left there 1.5 years ago...

I have to blame Aswath.  Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication.  He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it on Blue Box #48 (at 15:50 in the show) and basically said "well, it's interesting, but there's no trust model so we can't see how it would really work".  I had some further brief email exchange with Aswath, and then somewhere in there he came out with his proposal for extending OpenID use into communication systems.  Again he dropped us a note, and again, even with posts like that of phoneboy, I still hadn't gotten over my concern about trust - and we discussed it again in the soon-to-be-issued Blue Box #51, along with a comment from a listener.

But there was something there that kept nagging at the back of my brain... and then as Microsoft announced support for OpenID out at RSA... and then as AOL is talking about their plans...  along with a hundred other smaller indicators... all of it has made me realize that I've needed to "go deeper" on what OpenID is all about and how it works... and how maybe, just maybe, there might be a role for it in VoIP.

I'm not there yet, but I'm definitely in the middle of the deep dive.  I've told Aswath that I'd get him a longer response - and I will - once the journey has gone a bit further.  In the meantime, those of you who want to follow along can watch my del.icio.us trail on openid... it keeps getting longer.

If you have no idea what OpenID is about at all... think about all the websites you go to and all the different usernames and passwords you have.  What if there was a way to have just one identity you could use everywhere?  That's one of the ideas behind OpenID.  Here's some good places to start if you know nothing about it:

• Screencast on how to use OpenID
• Video from ETech 2006 - "Who is the Dick on your site?" by Dick Hardt of Sxip Identity (nice history of identity efforts)

Lots to learn out there...