Comments

• 4 January 2007, Anonymous writes: The PhoneBoy Blog... ...
• 6 January 2007, Alec Saunders writes: Nice! It doesn't seem to work with my ClaimID OpenID, though? Ideas?
• 7 January 2007, http://openid.claimid.com/phoneboy writes: This is a test

Related Posts

• Got a Domain? Get Your Own OpenID!
• OpenID Enables P2P SIP
• Authentication Requires Trust
• Eating My Words on OpenID
• Federating Identity Tokens

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Comments

• 3 January 2007, nick botulism writes: not so good for colourblind people though, eh?
• 3 January 2007, PhoneBoy writes: Actually, it shouldn't be a problem. There is enough differentiation between the colors that even if you are color blind, it should still work. View this page through http://colorfilter.wickline.org/ and you'll see what I mean.
• 3 January 2007, ted writes: now that is the crappiest comment validator/anti-spam measure i've yet seen. is it for real? DNS NEEDS CENTRAL AUTHENTICATION!!! happy new year
• 4 January 2007, nick botulism writes: that colour filter site is cool! very handy. good to know.
• 8 January 2007, JAL writes: I can honestly say that I have never seen a CAPTCHA method quite like that before. This method is a lot better than some methods I have seen where I was not even able to read the text. "Are You Human?" Yes, but I still cannot read that text in the CAPTCHA box.
• 27 July 2007, mawa/尼卡/文/死工程師手札/認證方式 writes: [...] 終於吃到．十三味 » « 懶人培根菜飯 2007/05/05 認證方式   http://www.phoneboy.com/node/1244有必要搞得這麼機車嗎? [...]

Related Posts

• Had to Disable Trackbacks
• More Comment Spam Foo
• Sneaky and Clever Communications
• Moblogging isn’t Easy
• Movie Downloads Not a Panacea, Even With Price Drops

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

Related Posts

• OpenID-Enabled Comments
• OpenID Enables P2P SIP
• Authentication Requires Trust
• Eating My Words on OpenID
• Google Blogger Supports Custom Domains

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

What really hit me in the shower this morning was how much OpenID was like SSL certificates. As you may or may not know, an SSL certificate is used when communicating with a website security. SSL certificates can be used to authenticate the server you are talking to. Conversely, you can also use SSL certificates to authenticate yourself to the website, though that use is less common.

What’s cool about SSL is that anyone can make an SSL certificate. It does require the right tools, of course, but it can be done. Part of creating an SSL certificate is the signing process. An SSL certificate must be signed by someone–referred to a a signing authority–authenticating that it is your certificate. What makes SSL more or less transparent to end users is that the signatures of several common signing authorities are included in your web browser. That way, when you by that used fuzzy bathrobe on eBay or that cool computer upgrade from NewEgg, “it just works.” You see the little lock icon in your browser, you know it’s safe.

Of course, anyone can sign an SSL certificate. You can even sign it yourself if you’d like. When you hit a website with an SSL certificate signed by someone not in the browser, you get a rather confusing dialog saying “this website’s certificate is signed by someone you don’t trust.” Pity the poor, uneducated end user who has to make that call. For a test server or a server accessed by relatively few people, a self-signed certificate might be okay. For mass-marked sites, however, you’re better off paying the Verisign Tax and getting a properly signed SSL certificate.

Unlike with SSL certificates, the onus of deciding whose OpenID server to trust is moved to the operator of the website. One would hope that website operators are a little more intelligent about these things, but it’s still going to be a process that will have to get worked out. I think what will ultimately happen is that there will be a handful of OpenID “servers” that everyone will trust. Anyone will be able to set up their own OpenID server, but the default will be not to trust them and the website operator will have to make a choice to trust it or not.

While I agree that OpenID is certainly open, I see OpenID evolving in much the same way as SSL certificates have. What this ultimately means is that while anyone can create an OpenID server, there will only be a handful of servers that will be widely trusted.

Comments

• 30 November -0001, chobas.com’s blog writes: I was going to rant about OpenID and how I don’t get it and how it’s the latest meme and the fashionable fad. And I was going to cite this’s guys post. But then he reneged on his stance and wrote this. There remains something that I don’t like about it, but I can’t quite put my finger on it. I also finally watched “The Da Vinci Code” this afternoon. I had put it off forever, but after I heard a roundabout endorsement as a good movie, I
• 30 November -0001, Blue Box: The VoIP Security Podcast writes: Skype, an Essential Tool for Interrogation (also RealGeek ) 29:56 - Websense ‘Skype’ Trojan Analysis – followup to our story last week… not VoIP per se but an interesting analysis 32:05 - The PhoneBoy Blog: Eating My Words on OpenID 34:18 - Zycko: VoIP Security priority for 2007 34:50 - Network World: The year ahead: Juggling IT risks, opportunities 35:08 - Upcoming shows: Jan 23-26, 2007, Ft. Lauderdale, FL, Internet Telephony Conference and Expo – East
• 21 December 2006, Andrew Codrington writes: Hey Phoneboy, Your readers should know there are excellent lower cost alternatives to the "Verisign Tax" you mention in this entry. I am employed by one Entrust (http://www.entrust.net/), but there are quite a few of us out there. Wikipedia: http://en.wikipedia.org/wiki/Certificate_authority Open Directory: http://dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/ Now that Verisign owns Geotrust they control quite a few of the brands on the list, but not all! I haven't dropped in to your blog for a while, great to see you're still cranking out great content! Cheers, Andrew
• 15 February 2007, Disruptive Telephony writes: Doing a ... I have to blame Aswath. Back in December, he posted a short piece wondering about the use of OpenID in SIP authentication. He contacted Jonathan and I in regard to Blue Box and asked for our comments. We discussed it...
• 19 February 2007, VoIP User writes: SIP Doesn't Need openID... We do have identification problems, but what we need to resolve those is authentication on a server to server level within a multi-lateral peered "supernet" environment....

Related Posts

• OpenID-Enabled Comments
• Got a Domain? Get Your Own OpenID!
• Authentication Requires Trust
• OpenID Enables P2P SIP
• An Open Voice Network?

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a

To me, authentication and identity go hand in hand. You can’t prove identity without authenticating it and you can’t use someone authentication with your identity. Try using someone else’s login and your password to get onto a website. Does it work? If it does, you both picked really bad passwords!

The closest analogy I can think of to OpenID is PGP. PGP is an encryption standard that relies on asymmetric encryption with public and private keys. Like with OpenID, there is no central certifying authority. However, PGP has a sort of “web of trust” model where participants in the system “sign” each others keys. The idea being, I trust that it’s Bob’s key that I received because Alice signed the key, and I trust Alice.
OpenID creates a situation where I could set up my own OpenID server and say “I assert that PhoneBoy is who he says he is.” In other words, I’m saying “I am who I say I am because I say so.” How do you know my word is good? At least PGP gives you a mechanism by which to make a decision about whether or not to trust a particular encryption key is valid. It’s certainly not perfect, but it’s better than no trust mechanism at all, which is exactly what OpenID has.

Am I overreacting to this or am I right?

Comments

• 30 November -0001, Authentication | directory-financial.info writes: Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. )." i know that since we have a proxy server in our ... Related: • ISA • server • authentication • failed • error Authentication Requires Trust While that?s fine and dandy from a lack of vendor lock-in point of view, from an authentication point of view, it?s horrible. What?s worse, is that there is no trust built into the model. Even the How This Works page at OpenID says it!
• 14 December 2006, OpenID: A possible identity mechanism for VoIP? -- Alec Saunders .LOG writes: [...] Holes?  Well, as Phoneboy pointed out, there is no trusted authority required in the spec.  But, according to the website, Verisign can provide that.  Moreover, because it’s open and distributed, why couldn’t your employer, the local police station, your phone company or your church vouch for you? [...]
• 14 December 2006, Blog by Kveton » OpenID + VoIP == Good? writes: [...] I happened upon a discussion about using OpenID for authenticating VoIP clients to one another that was sparked by this post posted by Martin Geddes. That was followed up by Aswath with a post describing how you could use OpenID to help assert your identity with VoIP calls. This was followed up by Phoneboy (not his real name, I *think* - heh) leading to a discussion about OpenID and its lack of trust. [...]
• 14 December 2006, The PhoneBoy Blog » Eating My Words on OpenID writes: [...] Between a private email from Aswath and other posts on OpenID, I have reconsidered my opinion on this. It may not be such a bad thing after all. [...]
• 14 December 2006, Telepocalypse writes: Shut up, Martin!... There seems to be considerable public demand, so I’ll explain why no amount of technology is going to make an open voice network appear. I’ve written about open vs. closed networks before a bit. We don’t have a comprehensive theory......
• 15 December 2006, OpenID身份验证系统的可信性 at iF20:天真。天眞的我们必然幸福。 writes: [...] 但是PhoneBoy对这种认证服务的随意性与自由化产生怀疑，他在文章”Authentication Requires Trust“里面提到如何保证这种认证服务的可信性问题。中国有句古话叫“王婆卖瓜，自卖自夸”，同样的对于自主架设的OpenID认证服务器也是如此。如何保证你的验证所提供的信息是真实的，OpenID的运行机制并没有对此做出验证。相反，在OpenID的运行机制说明中，关于信任问题是如何描述的： This is not a trust system. Trust requires identity first. [...]
• 3 January 2007, Blue Box: The VoIP Security Podcast writes: Blue Box #48: The Crystal Ball Edition - Top VoIP Security issues of 2006 and predictions for 2007, Skype worm that wasn't, drive-by SPIT, OpenID, poking holes in firewalls, listener comments and more...... Synopsis: The Crystal Ball Edition - Top VoIP Security issues of 2006 and predictions for 2007, Skype worm that wasn't, drive-by SPIT, OpenID for SIP authentication, poking holes in firewalls, listener comments and more... Welcome to Blue Box: The VoI...
• 3 January 2007, I Got BlueBoxed! writes: [...] A recent post of mine got mentioned on the Blue Box VoIP Security Podcast (specifically on Episode #48)! Hm… I might have to listen to start listening to this podcast. [...]
• 25 February 2007, chobas.com’s blog » I really don’t know what to title this one writes: [...] get it and how it’s the latest meme and the fashionable fad. And I was going to cite this’s guys post. But then he reneged on his stance and wrote this. There remains something that I don’t like [...]
• 15 February 2008, VoIP Caller ID Is On Its Way - VoIP News writes: [...] be ready for prime time in VoIP or in business settings.    Open to Abuse?The OpenID process is highly decentralized, which appeals to those who want to avoid vendor lock-in or inflexible [...]

Related Posts

• PayPal Security Key
• Fooling Fingerprint Scanners
• Eating My Words on OpenID
• Last of the Odds and Ends
• Consolidation in the VoIP industry, redux

This work originally came from The PhoneBoy Blog and is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.
Fingerprint: e37ac627f3d973694c212ff9430d215a