kunzite: (Default)
Minnie A. Trethewey ([personal profile] kunzite) wrote in [site community profile] dw_suggestions2012-09-05 02:15 am
  • Add Memory
  • Share This Entry
Entry tags:

Aggregate External Identities (like OpenID)

Title:
Aggregate External Identities (like OpenID)

Area:
profile

Summary:
A list of OpenID identities to be shown on my profile page.

Description:
I have a lot of OpenID identities across the internet. I do not have a place to put this information where it can be authenticated appropriately.
Ideally, this information would be displayed on my profile page, with degrees of privacy settings.

I trust Dreamwidth with this information. Not all users will. Your mileage may vary. People should be informed about what this trust entails.

Poll #11692 Aggregate External Identities (like OpenID)
Open to: Registered Users, detailed results viewable to: All, participants: 45

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
16 (35.6%)

Should be implemented with changes. (please comment)
0 (0.0%)

Shouldn't be implemented.
7 (15.6%)

(I have no opinion)
21 (46.7%)

(Other: please comment)
1 (2.2%)

Flat | Top-Level Comments Only
msilverstar: (corset)

[personal profile] msilverstar 2012-09-17 01:20 am (UTC)(link)
This seems like a complex authentication project, if it's anything more than an https connection to the open ID provider.
azurelunatic: Vivid pink Alaskan wild rose. (Default)

[personal profile] azurelunatic 2012-09-17 01:28 am (UTC)(link)
The authentication part is already solved as part of OpenID.

[personal profile] swaldman 2012-09-17 09:35 am (UTC)(link)
Just to make sure I'm clear about what is being suggested:
The idea is to enter a number of OpenID identities, have each one confirmed by its provider, and show them all on a page?
kunzite: (Default)

[personal profile] kunzite 2012-09-21 11:30 pm (UTC)(link)
Yes.
turlough: young man in hideous green-patterned shirt with rised finger, Xander from 'Buffy the Vampire Slayer' ((buffy) excuse me?)

[personal profile] turlough 2012-09-17 03:45 pm (UTC)(link)
I don't really see what the purpose of this would be. I mean, what would be the difference between this and a general list of off-DW identities?
azurelunatic: Vivid pink Alaskan wild rose. (Default)

[personal profile] azurelunatic 2012-09-17 04:17 pm (UTC)(link)
The difference would be confirmation. There is no technological barrier against me declaring on my DW profile that my twitter account is [twitter.com profile] stephenfry, even though anyone who knows me knows I'm not, and people who don't know me but who have a reasonable amount of Internet Skepticism could probably figure that out as well.

This would not only list the identities, but would have the fact that they had been confirmed (and since identity on the web is a moving target, I might like to have a datestamp somewhere) displayed. So a reader would not only have the user's word that this external identity was theirs, but Dreamwidth's word that it had been confirmed.
turlough: castle on mountain top in winter, Burg Hohenzollern ((other sounds to keep you alive)

[personal profile] turlough 2012-09-17 04:53 pm (UTC)(link)
Ah, I see. I have to confess that it never even crossed my mind that someone would try to list an account that didn't belong to them. It seems so pointless to me, but then popularity is something I would rather avoid than seek out :-)
azurelunatic: A baji-naji symbol. (baji-naji)

[personal profile] azurelunatic 2012-09-17 05:08 pm (UTC)(link)
There are any number of potential reasons that occur to me - a benign misunderstanding/alternative use of the field, for example as "account that I admire" rather than "account that I own"; roleplaying as the journal of a popular figure; impersonation intended to stir up trouble (do something nasty under someone else's name, get away with it yourself & have them take the blame); impersonation as social engineering (if you set up a convincing fake, you might get secured information intended for them); and the case you mentioned, to attempt to gain popularity.

I used to not think of things like this, but spending time in the presence of security geeks has warped me a little. ;)
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2012-09-17 07:04 pm (UTC)(link)
Yeah-I always, without fail, whenever possible, use either MatGB or MatB online. It's me, it's my name plus initials, virtually everyone I associate with who sees it will know it's me.

Except I can't be MatGB in a number of places, despite it being fairly unusual, it's gone. Plus, I've had people accuse me, in serious discussions, of "hiding behind anonymity" when using it (seriously, no, I didn't get it either).

Given I have at times been fairly senior in some policy making circles, have run for office, etc, I want to be able to both prove I'm me and assert that other accounts are mine in a space I control and like.

I used ClaimID for a bit, but found it both clunky and not optimal. It never occured to me that DW could do it for me easily and I like DW enough for that to be a really good solution, but as Kunzite's suggested it I'm very much in favour.

I've been impersonated, I've seen some abusive uses of impersonation, and a "who I am" aggregator is a good thing-Google, for example, has one, but I dislike it, partially as it's Google and partially as what it's doing is opaque.

FWIW, I'd like it to support OpenID and Oauth identities, but I realise the latter is a stretch and we don't support Oauth anywhere else yet.
kunzite: (Default)

[personal profile] kunzite 2012-09-21 11:38 pm (UTC)(link)
+1
liv: Stylised sheep with blue, purple, pink horizontal stripes, and teacup brand, dreams of Dreamwidth (sheeeep)

[personal profile] liv 2012-09-17 09:20 pm (UTC)(link)
Honestly this feels to me like not Dreamwidth's business. I suspect this would end up being a lot of effort without really enhancing the site for most users. Not technical effort, but social effort, in terms of deciding which identity providers should be accepted, dealing with rogue ones, explaining to people what external identities are and what the concept does or doesn't imply about trust, etc.
dharma_slut: They call me Mister CottonTail (Default)

[personal profile] dharma_slut 2012-09-29 02:34 am (UTC)(link)
This is my opinion as well.
daweaver: (Default)

[personal profile] daweaver 2012-09-19 02:48 pm (UTC)(link)
So if I understand correctly, the permanent record suggested by the original poster would be "I associated identity X with site Y on date Z". The suggestion is to be filter this by various privacy groups similar to those already existing on the profile page. This appears perfectly practical within the existing Dreamwidth codebase.

It's a regrettable fact that openid is insecure, subject to various impersonation attacks, and cannot provide anything more than a transient identity claim - it is impossible for an openid assertion to last longer than the TTL of its domain, typically some hours. This makes openid a completely inappropriate tool for any claim of stable identity.

Personally, I believe that it would be best to consign openid to internet history, and do nothing to encourage its use. I also note that, following management diktat, Dreamwidth uses openid as its main means of operating with the outside world.

I believe it would be best that the suggestion be rejected, not because it is a bad suggestion, but because openid is a bad technology. I am resigned to this opinion being ignored by Dreamwidth developers. If it is implemented, the list of assertions absolutely must contain the date on which the assertion was made, so that a slightly more informed judgement can be made.
erika: (lyrics: STOP! HAMMER TIME.)

[personal profile] erika 2012-09-19 10:18 pm (UTC)(link)
I agree with this comment, particularly the last sentence.

I have no particular beef with OpenID, but it is not a decent way to verify much of anything, really. The problem here is I'm not aware of anything better, especially since OpenID has become utilized by multiple sites, whereas anything else would have a barrier to entry.

I would like a way to confirm my identity on other sites via a trusted operator such as dreamwidth. While unfortunate that OpenID is so transient and can be fairly open to attack, it's the best of a bad situation. I grudgingly agree with using OpenID since it seems to be the accepted standard, but would strongly counsel that all identities verified this way have time-stamps and possibly expiration dates.
Edited (more thoughts!) 2012-09-19 22:21 (UTC)
kunzite: (Default)

[personal profile] kunzite 2012-09-21 11:40 pm (UTC)(link)
Please explain how OpenID is "open to attack." Is there an article online somewhere?
erika: Text: Shroedinger's cat is (ALIVE/DEAD) (science: quantum state)

[personal profile] erika 2012-09-21 11:59 pm (UTC)(link)
I think Phishing is commonly seen as the biggest problem, but there are deeper issues that have been found in 2010, 2011, and 2012—in other words, pretty much every year that it's been used more widely.
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2012-09-22 12:04 am (UTC)(link)
Several, but DaWeaver wrote one here:
http://www.daweaver.free-online.co.uk/2008/06/trouble-yadis-250608.html

Note, I like OpenID for what it is and does, not what some people think it should be or doesn't do (the idea that banks let you manage your finances with an OpenID is just *shudders*), but Iain's objections are fairly strongly held and quite well argued.

Phishing isn't the only problem, but it's the biggest I've seen.

the other, fairly obvious one:

When I imported from LJ, I 'trusted' all my LJ friends on OpenID basis.

Several have since deleted their accounts, and they would've been purged. Ergo, unless LJ blocks renamed accounts from using their new location as an OpenID, there are possibly people out there with access to my locked content because I don't know they now control an OpenID.

Alternatively, I set up my old domains as OpenIDs. AFAIK, they've not got access to anythign important, but when my finances collapsed a few years back my domains lapsed. Other people now own both those domains, and those OpenIDs.

It's not, therefore, something that should involve any level of trust, but is used as such.
kunzite: (Default)

[personal profile] kunzite 2012-09-22 03:19 am (UTC)(link)
Alternatively, I set up my old domains as OpenIDs. AFAIK, they've not got access to anythign important, but when my finances collapsed a few years back my domains lapsed. Other people now own both those domains, and those OpenIDs.

Now this I understand and wonder if there's been anything to protect against this.
kunzite: (Default)

(frozen comment)

[personal profile] kunzite 2012-09-21 11:40 pm (UTC)(link)
Please see here.

[personal profile] swaldman 2012-09-24 10:43 am (UTC)(link)
I feel that something that does this would be a useful service to have available on the internet, but I see no particular reason that it should be Dreamwidth that offers it - I don't see that it really fits with the rest of Dreamwidth's function (or at least, my perception of DW's function. My perception may or may not align with the management's!)
matgb: Artwork of 19th century upper class anarchist, text: MatGB (Default)

[personal profile] matgb 2012-09-24 01:45 pm (UTC)(link)
Counterpoint.

Dreamwidth is my "home" online. Others use Google, Facebook, etc but Dreamwidth is where I want people to be able to find out about me. My 'profile' has a bunch of external identities, but I haven't claimed them or proven they're mine at any point, I've just listed them.

Google allows you to put confirmed IDs and then other ids on your profile. There are also other dedicated profile pages out there you can do this with, but they specialise in just doing that.

I have a profile here. On it I can say what I like, and assert multiple other online IDs to be me.

If I can have a profile here, why not have it complete and verify that I am whoever elsewhere?
Flat | Top-Level Comments Only