Misplaced Pages

#381618

65-438: OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation . It allows users to be authenticated by co-operating sites (known as relying parties , or RP) using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have

130-543: A PIN code , a password , a passphrase , a big number, or an array of randomly chosen bytes. The shared secret is either shared beforehand between the communicating parties, in which case it can also be called a pre-shared key , or it is created at the start of the communication session by using a key-agreement protocol , for instance using public-key cryptography such as Diffie–Hellman or using symmetric-key cryptography such as Kerberos . The shared secret can be used for authentication (for instance when logging in to

195-742: A royalty-free basis. Many definitions of the term standard permit patent holders to impose " reasonable and non-discriminatory licensing" royalty fees and other licensing terms on implementers or users of the standard. For example, the rules for standards published by the major internationally recognized standards bodies such as the Internet Engineering Task Force (IETF), International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and ITU-T permit their standards to contain specifications whose implementation will require payment of patent licensing fees. Among these organizations, only

260-500: A "free software and open standards law." The decree includes the requirement that the Venezuelan public sector must use free software based on open standards, and includes a definition of open standard: Shared secret In cryptography , a shared secret is a piece of data, known only to the parties involved, in a secure communication . This usually refers to the key of a symmetric cryptosystem . The shared secret can be

325-612: A URL (typically a third-level domain, e.g. username.example.com) that will automatically be configured with OpenID authentication service. Once they have registered an OpenID, a user can also use an existing URL under their own control (such as a blog or home page) as an alias or "delegated identity". They simply insert the appropriate OpenID tags in the HTML or serve a Yadis document. Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs. XRIs are

390-681: A common patent policy under the banner of the WSC . However, the ITU-T definition should not necessarily be considered also applicable in ITU-R, ISO and IEC contexts, since the Common Patent Policy does not make any reference to "open standards" but rather only to "standards." In section 7 of its RFC 2026, the IETF classifies specifications that have been developed in a manner similar to that of

455-704: A consensus basis. The definitions of the term open standard used by academics, the European Union , and some of its member governments or parliaments such as Denmark , France , and Spain preclude open standards requiring fees for use, as do the New Zealand , South African and the Venezuelan governments. On the standard organisation side, the World Wide Web Consortium (W3C) ensures that its specifications can be implemented on

520-402: A data format which is made public, is thoroughly documented and neutral with regard to the technological tools needed to peruse the same data. The E-Government Interoperability Framework (e-GIF) defines open standard as royalty-free according to the following text: While a universally agreed definition of "open standards" is unlikely to be resolved in the near future, the e-GIF accepts that

585-606: A definition of "open standards" needs to recognise a continuum that ranges from closed to open, and encompasses varying degrees of "openness." To guide readers in this respect, the e-GIF endorses "open standards" that exhibit the following properties: The e-GIF performs the same function in e-government as the Road Code does on the highways. Driving would be excessively costly, inefficient, and ineffective if road rules had to be agreed each time one vehicle encountered another. The Portuguese Open Standards Law, adopted in 2011, demands

650-535: A definition of open standards, which also is used in pan-European software development projects. It states: The French Parliament approved a definition of "open standard" in its "Law for Confidence in the Digital Economy." The definition is (Article 4): A clear royalty-free stance and far reaching requirements case is the one for India's Government 4.1 Mandatory Characteristics An Identified Standard will qualify as an "Open Standard", if it meets

715-605: A full, irrevocable and irreversible way to the Portuguese State; e) There are no restrictions to its implementation. A Law passed by the Spanish Parliament requires that all electronic services provided by the Spanish public administration must be based on open standards. It defines an open standard as royalty-free, according to the following definition (ANEXO Definiciones k): An open standard fulfills

SECTION 10

#1732801945382

780-484: A malicious relaying party may forward the end user to a bogus identity provider authentication page asking that end user to input their credentials. On completion of this, the malicious party (who in this case also controls the bogus authentication page) could then have access to the end user's account with the identity provider, and then use that end user's OpenID to log into other services. In an attempt to combat possible phishing attacks, some OpenID providers mandate that

845-492: A new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms— i-names and i-numbers —that are usually registered simultaneously as synonyms . I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of

910-510: A separate identity and password for each. Users create accounts by selecting an OpenID identity provider , and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites. The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the " relying party "). An extension to

975-598: A set of principles which have contributed to the exponential growth of the Internet and related technologies. The "OpenStand Principles" define open standards and establish the building blocks for innovation. Standards developed using the OpenStand principles are developed through an open, participatory process, support interoperability, foster global competition, are voluntarily adopted on a global level and serve as building blocks for products and services targeted to meet

1040-627: A specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics). The final version of OpenID is OpenID 2.0, finalized and published in December 2007. The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique Uniform Resource Identifier (URI), and are managed by some "OpenID provider" that handles authentication. As of March 2016, there are over 1 billion OpenID-enabled accounts on

1105-489: A user visits a website that supports OpenID authentication, the website will redirect the user to their chosen IDP. The IDP will then prompt the user to authenticate themselves (e.g., by entering a username and password). Once the user is authenticated, the IDP will generate an OpenID and send it back to the website. The website can then use this OpenID to authenticate the user without needing to know their actual credentials. OpenID

1170-456: A wide range of meanings associated with their usage. There are a number of definitions of open standards which emphasize different aspects of openness, including the openness of the resulting specification, the openness of the drafting process, and the ownership of rights in the standard. The term "standard" is sometimes restricted to technologies approved by formalized committees that are open to participation by all interested parties and operate on

1235-451: Is a decentralized authentication protocol that allows users to authenticate with multiple websites using a single set of credentials, eliminating the need for separate usernames and passwords for each website. OpenID authenticates with user with an identity provider (IDP), who then provides the user with a unique identifier (called an OpenID). This identifier can then be used to authenticate the user with any website that supports OpenID. When

1300-550: Is a global organization to promote digital identity and to encourage the further adoption of OpenID, the OIDF has encouraged the creation of member chapters. Member chapters are officially part of the Foundation and work within their own constituency to support the development and adoption of OpenID as a framework for user-centric identity on the internet. The OIDF ensures that OpenID specifications are freely implementable therefore

1365-423: Is also likely to be a more serious breach of privacy than a compromised account on a single site. Another important vulnerability is present in the last step in the authentication scheme when TLS/SSL are not used: the redirect-URL from the identity provider to the relying party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into

SECTION 20

#1732801945382

1430-625: Is built on top of several existing standards, including HTTP, HTML, and XML. OpenID relies on a number of technologies, including a discovery mechanism that allows websites to find the IDP associated with a particular OpenID, as well as security mechanisms to protect against phishing and other attacks. One of the key benefits of OpenID is that it allows users to control their own identity information, rather than relying on individual websites to store and manage their login credentials. This can be particularly important in cases where websites are vulnerable to security breaches or where users are concerned about

1495-714: Is determined by the market. The ITU-T is a standards development organization (SDO) that is one of the three sectors of the International Telecommunication Union (a specialized agency of the United Nations ). The ITU-T has a Telecommunication Standardization Bureau director's Ad Hoc group on IPR that produced the following definition in March 2005, which the ITU-T as a whole has endorsed for its purposes since November 2005: The ITU-T , ITU-R , ISO , and IEC have harmonized on

1560-557: Is here meant in the sense of fulfilling the following requirements: The Network Centric Operations Industry Consortium (NCOIC) defines open standard as the following: Specifications for hardware and/or software that are publicly available implying that multiple vendors can compete directly based on the features and performance of their products. It also implies that the existing open system can be removed and replaced with that of another vendor with minimal effort and without major interruption. The Danish government has attempted to make

1625-410: Is redirected back to the relying party along with the end user's credentials. That relying party must then confirm that the credentials really came from the OpenID provider. If the relying party and OpenID provider had previously established a shared secret, then the relying party can validate the identity of the OpenID provider by comparing its copy of the shared secret against the one received along with

1690-414: Is that Covert Redirect is not as bad, but still a threat. Understanding what makes it dangerous requires a basic understanding of Open Redirect, and how it can be exploited." A patch was not immediately made available. Ori Eisen, founder, chairman and chief innovation officer at 41st Parameter told Sue Marquette Poremba, "In any distributed system, we are counting of the good nature of the participants to do

1755-506: Is then published in the form of RFC 6852 in January 2013. The European Union defined the term for use within its European Interoperability Framework for Pan-European eGovernment Services, Version 1.0 although it does not claim to be a universal definition for all European Union use and documentation. To reach interoperability in the context of pan-European eGovernment services, guidance needs to focus on open standards. The word "open"

1820-438: Is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community. Sun Microsystems , VeriSign and a number of smaller companies involved in OpenID have issued patent non-assertion covenants covering OpenID 1.1 specifications. The covenants state that

1885-759: The GSM phones (adopted as a government standard), Open Group which promotes UNIX , and the Internet Engineering Task Force (IETF) which created the first standards of SMTP and TCP/IP. Buyers tend to prefer open standards which they believe offer them cheaper products and more choice for access due to network effects and increased competition between vendors. Open standards which specify formats are sometimes referred to as open formats . Many specifications that are sometimes referred to as standards are proprietary, and only available (if they can be obtained at all) under restrictive contract terms from

1950-611: The "Simplified BSD License" as stated in the IETF Trust Legal Provisions and Copyright FAQ based on RFC 5377. In August 2012, the IETF combined with the W3C and IEEE to launch OpenStand and to publish The Modern Paradigm for Standards. This captures "the effective and efficient standardization processes that have made the Internet and Web the premiere platforms for innovation and borderless commerce". The declaration

2015-495: The IETF and ITU-T explicitly refer to their standards as "open standards", while the others refer only to producing "standards". The IETF and ITU-T use definitions of "open standard" that allow "reasonable and non-discriminatory" patent licensing fee requirements. There are those in the open-source software community who hold that an "open standard" is only open if it can be freely adopted, implemented and extended. While open standards or architectures are considered non-proprietary in

OpenID - Misplaced Pages Continue

2080-518: The IETF itself as being "open standards," and lists the standards produced by ANSI , ISO , IEEE , and ITU-T as examples. As the IETF standardization processes and IPR policies have the characteristics listed above by ITU-T, the IETF standards fulfill the ITU-T definition of "open standards." However, the IETF has not adopted a specific definition of "open standard"; both RFC 2026 and the IETF's mission statement (RFC 3935) talks about "open process," but RFC 2026 does not define "open standard" except for

2145-590: The Internet (see below) and approximately 1,100,934 sites have integrated OpenID consumer support: AOL , Flickr , Google , Amazon.com , Canonical (provider name Ubuntu One ), LiveJournal , Microsoft (provider name Microsoft account ), Mixi , Myspace , Novell , OpenStreetMap , Orange , Sears , Sun , Telecom Italia , Universal Music Group , VeriSign , WordPress , Yahoo! , the BBC , IBM , PayPal , and Steam , although some of those organizations also have their own authentication management. Many if not all of

2210-612: The OIDF requires all contributors to sign a contribution agreement. This agreement both grants a copyright license to the Foundation to publish the collective specifications and includes a patent non-assertion agreement. The non-assertion agreement states that the contributor will not sue someone for implementing OpenID specifications. The OpenID trademark in the United States was assigned to the OpenID Foundation in March 2008. It had been registered by NetMesh Inc. before

2275-514: The OpenID Foundation was operational. In Europe, as of August 31, 2007, the OpenID trademark is registered to the OpenID Europe Foundation. The OpenID logo was designed by Randy "ydnar" Reddig, who in 2005 had expressed plans to transfer the rights to an OpenID organization. Since the original announcement of OpenID, the official site has stated: Nobody should own this. Nobody's planning on making any money from this. The goal

2340-423: The OpenID into a canonical URL form (e.g. http://alice.openid.example.org/ ). There are two modes in which the relying party may communicate with the OpenID provider: The checkid_immediate mode can fall back to the checkid_setup mode if the operation cannot be automated. First, the relying party and the OpenID provider (optionally) establish a shared secret , referenced by an associate handle , which

2405-527: The Relying Parties which policies were actually used." Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem . However, this problem is not unique to OpenID and is simply the state of the Internet as commonly used. The Identity Provider does, however, get a log of your OpenID logins; they know when you logged into what website, making cross-site tracking much easier. A compromised OpenID account

2470-623: The XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the end user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name. The OpenID Foundation (OIDF) promotes and enhances the OpenID community and technologies. The OIDF is a non-profit international standards development organization of individual developers, government agencies and companies who wish to promote and protect OpenID. The OpenID Foundation

2535-566: The affected parties, who have then fixed their vulnerable code. For the second issue, the paper called it "Data Type Confusion Logic Flaw", which also allows attackers to sign in to victims' RP accounts. Google and PayPal were initially confirmed vulnerable. OpenID published a vulnerability report on the flaw. The report says Google and PayPal have applied fixes, and suggest other OpenID vendors to check their implementations. Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks. For example,

2600-559: The companies will not assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors. In March, 2012, a research paper reported two generic security issues in OpenID. Both issues allow an attacker to sign in to a victim's relying party accounts. For the first issue, OpenID and Google (an Identity Provider of OpenID) both published security advisories to address it. Google's advisory says "An attacker could forge an OpenID request that doesn't ask for

2665-649: The degree of openness will be taken into account when selecting an appropriate standard: The UK government 's definition of open standards applies to software interoperability, data and document formats. The criteria for open standards are published in the "Open Standards Principles" policy paper and are as follows. The Cabinet Office in the UK recommends that government departments specify requirements using open standards when undertaking procurement exercises in order to promote interoperability and re-use, and avoid technological lock-in. The Venezuelan Government approved

OpenID - Misplaced Pages Continue

2730-563: The end user needs to be authenticated with them prior to an attempt to authenticate with the relying party. This relies on the end user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform

2795-422: The end user's credentials; such a relying party is called stateful because it stores the shared secret between sessions. In contrast, a stateless or dumb relying party must make one more background request ( check_authentication ) to ensure that the data indeed came from the OpenID provider. After the OpenID has been verified, authentication is considered successful and the end user is considered logged into

2860-506: The following conditions: The South African Government approved a definition in the "Minimum Interoperability Operating Standards Handbook" (MIOS). For the purposes of the MIOS, a standard shall be considered open if it meets all of these criteria. There are standards which we are obliged to adopt for pragmatic reasons which do not necessarily fully conform to being open in all respects. In such cases, where an open standard does not yet exist,

2925-581: The following criteria: Italy has a general rule for the entire public sector dealing with Open Standards, although concentrating on data formats, in Art. 68 of the Code of the Digital Administration ( Codice dell'Amministrazione Digitale ) [applications must] allow representation of data under different formats, at least one being an open data format. [...] [it is defined] an open data format,

2990-457: The larger organizations require users to provide authentication in the form of an existing email account or mobile phone number in order to sign up for an account (which then can be used as an OpenID identity). There are several smaller entities that accept sign-ups with no extra identity details required. Facebook did use OpenID in the past, but moved to Facebook Connect . Blogger also used OpenID, but since May 2018 no longer supports it. OpenID

3055-404: The necessary identity details. If the end user declines the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party with a message indicating that authentication was rejected; the relying party in turn refuses to authenticate the end user. If the end user accepts the OpenID provider's request to trust the relying party, then the user-agent

3120-400: The needs of markets and consumers. This drives innovation which, in turn, contributes to the creation of new markets and the growth and expansion of existing markets. There are five, key OpenStand Principles, as outlined below: 1. Cooperation Respectful cooperation between standards organizations, whereby each respects the autonomy, integrity, processes, and intellectual property rules of

3185-411: The organization that owns the copyright on the specification. As such these specifications are not considered to be fully open . Joel West has argued that "open" standards are not black and white but have many different levels of "openness". A more open standard tends to occur when the knowledge of the technology becomes dispersed enough that competition is increased and others are able to start copying

3250-711: The others. 2. Adherence to Principles – Adherence to the five fundamental principles of standards development, namely 3. Collective Empowerment Commitment by affirming standards organizations and their participants to collective empowerment by striving for standards that: 4. Availability Standards specifications are made accessible to all for implementation and deployment. Affirming standards organizations have defined procedures to develop specifications that can be implemented under fair terms. Given market diversity, fair terms may vary from royalty-free to fair, reasonable, and non-discriminatory terms (FRAND). 5. Voluntary Adoption Standards are voluntarily adopted and success

3315-617: The privacy of their personal information. OpenID has been widely adopted by a number of large websites and service providers, including Google, Yahoo!, and PayPal. The protocol is also used by a number of open source projects and frameworks, including Ruby on Rails and Django. The end user interacts with a relying party (such as a website) that provides an option to specify an OpenID for the purposes of authentication; an end user typically has previously registered an OpenID (e.g. alice.openid.example.org ) with an OpenID provider (e.g. openid.example.org ). The relying party typically transforms

SECTION 50

#1732801945382

3380-647: The purpose of defining what documents IETF standards can link to. RFC 2026 belongs to a set of RFCs collectively known as BCP 9 (Best Common Practice, an IETF policy). RFC 2026 was later updated by BCP 78 and 79 (among others). As of 2011 BCP 78 is RFC 5378 (Rights Contributors Provide to the IETF Trust), and BCP 79 consists of RFC 3979 (Intellectual Property Rights in IETF Technology) and a clarification in RFC 4879. The changes are intended to be compatible with

3445-423: The relying party then stores. If using the checkid_setup mode, the relying party redirects the end user's user-agent to the OpenID provider so the end user can authenticate directly with the OpenID provider. The method of authentication may vary, but typically, an OpenID provider prompts the end user for a password or some cryptographic token, and then asks whether the end user trusts the relying party to receive

3510-422: The relying party under the identity specified by the given OpenID (e.g. alice.openid.example.org ). The relying party typically then stores the end user's OpenID along with the end user's other session information. To obtain an OpenID-enabled URL that can be used to log into OpenID-enabled websites, a user registers an OpenID identifier with an identity provider. Identity providers offer the ability to register

3575-404: The required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers, but cannot prevent active attackers from executing the replay attack. Use of TLS/SSL in the authentication process can significantly reduce this risk. This can be restated as: On May 1, 2014, a bug dubbed " Covert Redirect related to OAuth 2.0 and OpenID"

3640-486: The right thing. In cases like OAuth and OpenID, the distribution is so vast that it is unreasonable to expect each and every website to patch up in the near future". The original OpenID authentication protocol was developed in May 2005 by Brad Fitzpatrick , creator of popular community website LiveJournal , while working at Six Apart . Initially referred to as Yadis (an acronym for "Yet another distributed identity system"), it

3705-485: The sense that the standard is either unowned or owned by a collective body, it can still be publicly shared and not tightly guarded. The typical example of "open source" that has become a standard is the personal computer originated by IBM and now referred to as Wintel , the combination of the Microsoft operating system and Intel microprocessor. There are three others that are most widely accepted as "open" which include

3770-460: The site as the victim user. Some of the identity providers use nonces (a number used just once) to allow a user to log into the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However, a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows

3835-498: The standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements). The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate

3900-702: The technology as they implement it. This occurred with the Wintel architecture as others were able to start imitating the software. Less open standards exist when a particular firm has much power (not ownership) over the standard, which can occur when a firm's platform "wins" in standard setting or the market makes one platform most popular. On August 12, 2012, the Institute of Electrical and Electronics Engineers (IEEE), Internet Society (ISOC), World Wide Web Consortium (W3C), Internet Engineering Task Force (IETF) and Internet Architecture Board (IAB), jointly affirmed

3965-667: The use of Open Standards, and is applicable to sovereign entities, central public administration services (including decentralized services and public institutes), regional public administration services and the public sector. In it, Open Standards are defined thus: a) Its adoption is fruit off an open decision process accessible to all interested parties; b) The specifications document must have been freely published, allowing its copy, distribution and use without restrictions; c) The specifications document cannot cover undocumented actions of processes; d) The applicable intellectual property rights, including patents, have been made available in

SECTION 60

#1732801945382

4030-519: The user's email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn't notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account." The research paper claims that many popular websites have been confirmed vulnerable, including Yahoo! Mail , smartsheet.com , Zoho , manymoon.com , diigo.com . The researchers have notified

4095-565: Was disclosed. It was discovered by mathematics doctoral student Wang Jing at the School of Physical and Mathematical Sciences, Nanyang Technological University , Singapore. The announcement of OpenID is: "'Covert Redirect', publicized in May 2014, is an instance of attackers using open redirectors – a well-known threat, with well-known means of prevention. The OpenID Connect protocol mandates strict measures that preclude open redirectors to prevent this vulnerability." "The general consensus, so far,

4160-613: Was formed in June 2007 and serves as a public trust organization representing an open community of developers, vendors and users. OIDF assists the community by providing needed infrastructure and help in promoting and supporting adoption of OpenID. This includes managing intellectual property and trade marks as well a fostering viral growth and global participation in OpenID. The OpenID Foundation's board of directors has six community board members and eight corporate board members: Community board members Corporate board members OIDF

4225-512: Was named OpenID after the openid.net domain name was given to Six Apart to use for the project. OpenID support was soon implemented on LiveJournal and fellow LiveJournal engine community DeadJournal for blog post comments and quickly gained attention in the digital identity community. Web developer JanRain was an early supporter of OpenID, providing OpenID software libraries and expanding its business around OpenID-based services. Open standard The terms open and standard have

#381618