Big worry: Microsoft supports OpenID
By Gareth Powell
Bill Gates tells us that Microsoft is getting behind OpenID. But whatever happened to Steve Ballmer and all of that happy crew that were taking over from Chairman Bill Gates? To allow him to run his tremendous — and let no one ever understate the astounding commitment he has made in time and money — charity with Melinda, his wife who is smart as a whip.
The answer is, perhaps, that Bill Gates does not feel that Microsoft has the right front man while that Spawn of the Devil, that Silver Tongued Loquacious Beast, Steve Jobs is running Apple.
So it is Bill Gates — who is fluent, articulate and with a sort of nerdy persona which works pretty well — that tells the world that Microsoft is getting behind OpenID, an emerging Web authentication standard. (He has had much experience with personal identification systems as the pictures above show.)
Being as polite as possible this is a very, very iffy standard and not too much should be made of the promise the Microsoft will work to integrate OpenID with its CardSpace identity management software which you can think of as a Vista sub-routine.
In theory OpenID is an emerging open-source standard that simplifies the task of logging on to many different Web sites.
The difficulties fraught in that statement take the breath away.
What it is saying that if you use this open system you can forget about log-in passwords and replace them with strong, certificate-based authentication techniques like smart cards.
(If you do not have different and complicated passwords your wife can read your emails. I know this from bitter experience.)
There are some who say this new open system also has the potential to help users guard against phishing scams and related forms of online fraud.
There are others — a wretched, suspicious querulous majority who should be ashamed of themselves — who see it as an open invitation phishers and online scam artists everywhere.
I am in that wretched suspicious, querulous majority.
Gates said Microsoft would support OpenID 2.0 in conjunction with CardSpace, a feature similar in nature to OpenID that is built in to Windows Vista. CardSpace seeks to make managing digital identities easier and safer by replacing usernames and passwords as the means of identifying oneself on the Web.
Bill Gates said: ‘Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is. We see smart cards … [and] certificates in general as the way these things should go. You’ll be presenting certificates as opposed to weak passwords.’
Bill you do not really believe this hype? Please tell us it ain’t so. You must know that chip and pin credit cards have already been happily hacked in Britain, and for all I know, elsewhere. My mother taught me never to play with cards on a Sunday. The way things are these days she could have said any day of the week.
Microsoft hopes to drive the adoption of smart cards with the launch of its Identity Lifecycle Manager 2007. It is not here yet. Possibly sometime in May or a little later. It may not be one of the darling buds. And, no, Microsoft did not create it. Microsoft is not in the creation business. It is in the buy- it- and- brand- it- and- arguably- improve- it business.
Microsoft bought Alacris with the company’s Identity Integration Server. That is roughly what you will be getting running smart cards on Microsoft networks.
None of which is very original, very thrilling or very leader-like. (On the other hand it is not Steve Ballmer giving his monkey dance.)
Bruce Schneier, chief technology officer with BT Group PLC’s Counterpane unit, spoke for most attendees when he said, ‘This was the most content-free presentation I’ve seen at RSA in years. My guess is that most people in the room could have given that talk because it’s where we all want to go.’
Yes, sunshine. But most people in the room are not Bill Gates. There is a difference.
Related:
Entry was posted
on Tuesday, February 6th, 2007 at 4:56 pm
under
Read more entries by Gareth Powell.
Stumble It!
February 6th, 2007
You know it is interesting that you quote this….
Bill Gates said: ‘Passwords are not only weak. Passwords have a huge problem. If you get more and more of them, the worse it is.
and then ask ‘do you believe this.’ I think it would be fair to say the OpenID community agrees with this and it is one of the reason they created OpenID in the first place to reduce the number of UserName/Passrods that folks have to manage.
With OpenID users get to choose the strength of authentication they want at their Identity Provider. CardSpace is one option they now will have explicitly available.
I see this announcement as positive and invite you to the next Internet Identity Workshop to meet the Microsoft Identity guys and the OpenID guys and contribute to the overall collaboration in the identity space.
February 7th, 2007
OpenID is as strong as the weakest IDP (provider), at least in respect to sites which should use it as a form of authentication. Since everybody can be his own IDP and install such a server it’s almost useless.
The only useful implementation can be, if used on a set range of known sites, which deal only with one know IDP. However this isn’t the ultimate goal of OpenID…It’s really becoming dangerous out there… ;-)
February 8th, 2007
Wow. How many ways could you get it wrong. Lets see;
“What it is saying that if you use this open system you can forget about log-in passwords and replace them with strong, certificate-based authentication techniques like smart cards.”
Bzzt. OpenID really doesn’t even touch on smartcards; it’s a URL based scheme with the additional of an identity provider. There’s no smart cards, there’s no certificates (well unless you count HTTPS certificates)
You have it right when OpenID is very open to phishing by its architecture. You must send a site your OpenID. It then redirects you to your identity provider so you can login. So, I can have a simple site which I say is protected by OpenID. You attempt to login and instead of directing you to your identity provider I direct you to my phishing site. Even better if I don’t have a phishing site prepared to look like your IP, well I know who it is, I can scrape in real time and fake it. CardSpace sits in the middle of this, acting as the login provider and getting details from the IP, reducing phishing potential greatly.
Additionally an identity provider can choose to issue a managed card which may be protected by a smartcard, if they wish. How exactly does this relate to chip & pin? Oh that’s right it doesn’t. Chip & Pin has been “hacked” with fake machines and a rather convoluted “submit transaction at exactly the same moment” attack. With your PC or Mac you are controlling it, you should know if it’s safe. Under Windows (and CardSpace isn’t just in Vista, but hey you’ve gotten it wrong so far, what’s another problem) CardSpace pops up in a “secure” desktop, so it’s going to be rather hard to subvert. There’s bugger all here driving smartcards as a necessity for CardSpace; that’s up to the managed card issuer, and your average every day blog ID provider is not going to ask all their users to go get hardware to login.