Categories
josephscott

OpenID

Since Slashdot brought it up, I took a brief look at OpenID. Take a moment to read the front page of their site, they briefly cover the what, why and how of OpenID. The first thing to note is scope, the goal is to establish a distributed identity system. This identity is just a URL, which allows for the distributed portion of their model.

As noted on their site, there is no trust involved, only identity. This is a key point, because they also point out that this does nothing to prevent comment spam. What it is hoped that it will do is prevent someone from claiming to be me in a comment, but even that isn’t entirely true (see the section called ‘What about signing comments?’). I suspect that they are hoping that others will build on top of this layer to form trust and spam identification. These potential additional layers would have some promise. I could tag all comments to be moderated and then once I okay a validated OpenID then any future comments by that person would skip moderation.

This is an interesting idea, that could yield some real benefits down the line. Like all new ideas/technologies though, time has to be spent thinking about how it could be used for evil (spam, etc.). OpenID by itself doesn’t do anything to prevent comment spam, they are pretty open about this on their site. So in order for this to be worthwhile some additional features need to be developed. What sort of ways could this be hijacked so that I could pretend to be Jeremy Zawodny? What layers are below OpenID that might be available to exploitation (HTTP, DNS, etc.)? What specific implementations of those lower level layers are prone to security flaws that could be taken advantage of? If I can successfully poison the right DNS server can I pretend to be someone else?

I’m not claiming that Brad and company haven’t pondered this ideas yet, but if they have then it would be nice to have it documented somewhere for others to use as a point of reference.