OpenID and cross-site authentication and tracking procedures
On the behest of Boley-Bole, I’m detailing this plan for the adoption of OpenID, the development of a locally instantiated OpenID server and some security enhancements to its protocol.
To quote their homepage, OpenID is an open, decentralized, free framework for user-centric digital identity. The first piece of the OpenID framework is authentication. Today, websites require usernames and passwords to login, which means that many people use the same password everywhere. With OpenID Authentication, your username is your URI, and your password (or other credentials) stays safely stored on your OpenID Provider.
This creates a crisis of trust with the operator of the OpenID server. When run by a third party, this editable code could be easily compromised by third-party SQL/Javascript injections, exploitations of CSS, etc etc, as well as by deliberate action, such as the tracking of ones browsing habits to be sold to spambots or given up by subpoena to the G-men through PATRIOT act evilness. I therefore propose Boleman get finished with his fucking french homework and implement this forthwith. I volunteer my programmatical services in said manner.
Also, some security enhancements should be considered for addition to the server framework. As it stands a third party could fake all the login methodology using their own software infrastructure and make false posts in your name. Spoofing in this manner pretty much defeats the purpose of the authentication system. As the framework is published under the LGPL, we can easily make some dirty modifications to the code to integrate a PERL instance of GPG on the server side to sign all comments coming through our local server. The server would store the public and private keys, encrypted locally using your OpenID authentication information, and would include a GPG signature at the end of any comment authenticated by this system. Any user could then go to a page on the OpenID server and check the signature for validity, ensuring a dedicated person could conclusively prove that a comment (or whatever the system is being used for) was definitively written by that party.
Anyways, this OpenID thing sounds like a good system (AOL is picking up on its use, as is Microsoft, if Slashdot is to be believed). Its not some obscure geeky project that merits no attention, and since I’m getting kicked out of school, I’ve got plenty of free time to hack it up.
Thoughts?
-Rob
Filed under: Ideas