Today NRK, the Norwegian Broadcasting Corporation, decided to become an OpenID provider in the near future.
The Norwegian public service broadcaster needs to register users for comment and discussion services, access to geo-restricted video material and blogs among other things. The growth in user generated material, interaction with users and increased flow across NRK’s various content platforms raises the issue of a single sign-on system and the OpenID framework –which is an open, decentralised free framework for user-centric digital identity (quoting openID)– is considered to fulfill most of NRK’s needs.
OpenID can be implemented on two levels, you can choose to become a «relying party» relying on OpenID credentials coming from third parties, or you can go all the way and become a «provider».
NRK has chosen to become a provider, seeing the need for a national provider with a certain size and level of trust. The general public in Norway has a high degree of trust in it’s national broadcaster (at last survey 95% found us «quite» or «very» trustworthy), and NRK finds it timely to leverage this trust for a common open sign-on system and sees it as a natural part of being a public service body in the 21st century.
Some notable users of OpenID are BBC, Yahoo, AOL, while Google f.i. has joined the OpenID foundation without yet implementing it.
NRK will probably be able to implement during fall 2008.
For more info on OpenID, there’s an article on the subject on Wikipedia. The article is unfortunately quite technical, we hope our erudite readership can help making it more readable.
Hmm, does this mean that NRK will only provide, and not consume, openIDs ?
The big problem ( and I did point out this in an earlier comment on nrkbeta ) with BBC, Launchpad, Yahoo, AOL, and, possibly, Google, (well, I guess it applies to almost every site which proudly advertises its openID support ), is that they are all providers – not consumers.
If I can’t log into Yahoo or BBC with an openid from AOL, then there is no point in openID whatsoever, and that’s very sad, ’cause the concept is great.
Anders Hofseth (NRK)
NRK will both provide and consume openIDs. Our primary need is to consume open IDs, but we have decided to be a provider as well, as we feel it’s important to have a trustworthy national provider to gain some speed in the implementation of OpenID.
Hope this de-saddens you.
It does indeed! Thanks.
So, what are the URIs going to be? meg.nrk.no/username or meg.nrk/username?
don’t know yet, what are the pros and cons for the respective in your book?
myopenid.com is a good inspiration source.
In my opinion, the easier the url is to remember, the better.
meg.nrk? Did they (domain organisation, don’t remember their name) finally approve of loosening the domain posfixes?
@Mats: Yes, they did.
Fantastic news! I think it’s even more fantastic that you’re going to consume OpenID’s than to provide, but doing both is just outstanding! Really! 🙂
Now to the technical and gritty part, I agree that MyOpenID is a great source for inspiration. They support a lot of the optional features and employes sign-in via digital client certificates and not only usernames and passwords (which are less secure). Everybody involved in the OpenID project at NRK should register on MyOpenID to see what I feel most people see as one of the reference implementations of OpenID looks like. Perhaps you can even outdo them? 😉
I also agree with Mats in that the easier the URI is to remember, the better. If possible, try to find something that works internationally. NRK’s OpenID won’t only be used to sign in to Norwegian web sites. If you avoid words like «my» and «meg» you might get something language agnostic. username.id.nrk perhaps? (Is .nrk indeed a valid TLD?)
To make the URL’s as short as possible, I think you guys should take inspiration from Yahoo’s use of ‘directed identity’. Yahoo user’s can simply enter ‘yahoo.com’ to login to OpenID enabled websites, and the web services will inform the consumer during the login process what the user’s real, unique openid address is. Maybe they can login with just ‘nrk’ or ‘nrk.no’. ^_^
With Open ID 2.0 you can do it for use yahoo open id just type yahoo.com
Odin / Velmont
DRITBRA! Dette her er den største enkeltstjerna NRK nokon gong hev fengje i mi bok, utanum å vera den beste norske fjernsynskanalen då. Dette slær Radio Røynda, Audhild Gregoriusdottir Rotevatn, Ingolf Håkon Teigene og då eg fann de hadde podkastar.
English translation: Nice! (:P)
A big thank you to all of you so far, we’ll be testing out everything you suggest as soon as the all-too-short norwegian summer is over. In the mean time enjoy the grey skies, the occasional rains and accidental short spells of sun – and keep the hints coming.
@Jenna Fox: Another option to consider is ID Selector (www.idselector.com). This universal login widget lets the user just pick their OpenID provider the first time, enter their user name (not the full OpenID URL). ID Selector remembers your preferences and then provides «single click login» on return visits. Its free and takes about 5 minutes to install and configure.
Som autentisering er openID en *dårlig* vits!
Det du sier er «Hei, jeg er Hans Hansen, og hvis dere tviler på det, så kan dere se !»
Problemet er at det stedet tjenesten henvises til for bekreftelse kan være hvasomhelst – inkludeert et websted kontrollert av Hans Hansen selv.
Hvis det nå er det han heter, da… Det kan være en Jens Jensen som har dette nettstedet, og som gir seg ut for å hete Hans Hansen, og *selv* bekrefter at «Hans Hansen» er en ekte bruker – men det er bløff hele veien, det finnes ingen «Hans Hansen». Ihverfall ikke som har sendt innlegg til nrk.no. Bare en som har gitt seg ut for å hete det, og som selv har bekreftet sitt eget navn…
OpenID gir *null* sikkerhet i autentiseringen – det er en total bløff! Den eneste verdien OpenID har er å spare deg for noen tastetrykk når du logger inn.
@j b we’re aware that openid doesn’t tell us the true identity of users, as you point out, but it does offer a more practical way of handling the sign on process for users. For services where we have to verify people’s identity, we’ll be using sms verification of accounts, just like we do today. We haven’t dived into the fine detail yet, but for services like debate, the user might f.i. be offered the option of verifying to be able to publish without premoderation.
Øyvind Solstad (NRK)
@j b As Anders points out – the value of OpenID is to let users have the same logon for different services, not being a system to verify who they are.
Many users have a tendency of using the same password everywhere, which means they have to change that same password everywhere if they want to change the password. OpenID changes that. One logon – one password.
We are aware that you actually can set up an OpenID service yourself, and claim to be someone. Just as with most other services.
I looked at OpenID some time back, (for some dedicated purposes) and found it lacks the needed security for authentication.
But surely OK for log-in to a blog (which is the level of security it was designed for). For 3rd. parties involved there were also other security issues (like who do you trust). Shortly; OpenID is lightweight security (which might be sufficient for you, but does everyone want to have an OpenID?
Reg. SMS for authenticating/verifying user: You should not limit to Norwegian mobile numbers. Some has other operators (not Norwegian) and some use internet based solutions. You limit your user group – and your users preferences by setting phone numbers to be 8 digits.
@Daniel (So, what are the URIs going to be? meg.nrk.no/username or meg.nrk/username?)
@Anders Hofseth (don’t know yet, what are the pros and cons for the respective in your book?)
The «http://meg.nrk/username» is not possible as nrk is not a TLD-name.
@Britt actually it is possible to register your own TLD name, but it costs «digre kuer og griser»
.id should be a tld for openID-providers:D
It is fall..when can I sign up?
I think a lot of people mistake OpenID for something it isn’t. OpenID is about authentication, not authorization. It’s not here to solve any security issues, but to solve conveniency issues with regard to having to remember a million different logins for a million different websites. With OpenAuth we’re moving in the direction of getting better security too and with a good and solid OpenID provider, you will get better security than you will from a random forum website wanting your username and password (which you might have reused on a number of other websites).
With OpenID you only need one login for every website on the world wide web. If that isn’t a step in the right direction, I don’t know what is. I’m not saying OpenID is the final step to authentication nirvana, but it’s here and it works. Let’s start using it so we can come up with great extensions and new protocols to become more secure and better authorized online. Keeping the million logins system we have today is the worst thing we could do.
@Knut-Olav Hoven («actually it is possible to register your own TLD name, but it costs “digre kuer og griser”»)
A TLD is not «a name», but a Registry for a TLD, and which has to follow a range of mandatory regulations and policies. You can not «register» a TLD.
ICANN (The governance body of the Internet) will publish an RFP (request for proposals) for new gTLDs (global TLD) later this month.
The price for participation might be around 50/100.000US$, and that is only to get your proposal processed (evaluated) by ICANN.
You have to describe how you will organize the TLD Registry (hardware, software, staffing, redundancy and high availability, data escrows, call centers and support, naming policy, legal issues, policies, etc) and you need a financial institution (company)… and you have to document why you want to do this and how it will add value to a larger community. There is a broad push for IDN TLDs (= TLD’s written in non-Latin characters) and new ways to use TLDs (It could be larger, international companies, as a guess, some like IBM, Yahoo, Google, e-bay, …).
The cost of this, is millions, and you need some larger capital and visions behind you, to pass through this.
It is a misinterpretion to believe that it is possible to register your own TLD. It is not, and it has, so fare, not been considered.
@ Asbjørn Ulsberg
OpenID has a range of security issues and it was not meant to be usedas high security.
It was designed as lightweight security, for logging into blog. And that’s about what you can use it for.
Here is just a few things I found listed:
* Phishing Attacks – this is probably the biggest concern when dealing with OpenID. Users may be tricked into providing their credentials to 3rd-party websites.
* Man-in-the-middle Attacks – the connection is negotiated over DH (Diffie-Hellman) which is subjected to interception attacks. Ensure that you are using HTTPS.
* Replay Attacks – the URL from the relaying party can be sniffed, unless over HTTPS, and as such being replayed. This is not that critical since if the attacker can sniff the wire/less they can as easy wait for the authentication to complete and then steal the session identifier.
* CSRF Attacks – once the user is logged in attackers might be able to execute a series of CSRF (Cross-site request forgery) attacks against the identity provider or other sites where the user is logged in. OpenID makes authentication easer so why don’t we login everywhere?
* XSS Attacks – once the user is logged in attackers might be able to execute a series of XSS (Cross-site scripting) attacks against the identity provider, in which case they will be able to hijack the entire on-line use presence, or other sides, in which case the attacker will be able to gain access to the session. Again, OpenID makes authentication easer so why don’t we login everywhere?
* Miscellaneous Attacks – all other types of Web Attacks are applicable to OpenID clients and servers. The only difference is that the result may turn to be quite devastating.
Anyone can, through DNS, request your URL/OpenID – but you might not want to publish for the world what you use OpenID for.
Neither do you want a 3rd. party to track you all over the internet. Privacy is a matter for the consumer. Or at least it should be.
So what does it solve? We already have a password manager in the browser which automatically keep track of usernames and passwords.
OpenID does NOT give security. It is a lightweight method and with a range of flaws.
But it helps 3rd. party track your movements so they can profile you (and sell the information for ad purposes), and it helps domain name resellers sell some more names/ID.
(Authorization has not been even mentioned…)
Remember MSPassport? Big crap.
@JC RE: .id should be a tld for openID-providers
2-letter TLD name is reserved and only assigned to countries.
.id is assigned Indonesia.
2-letter name are also not allowed as second level name, so id.TLD would not be possible either.
@Britt: What do you mean with «second level name»? Do you mean normal domain names (f.x. example(.com))? Two letter domain names are allowed.
Praktiske Open Source tjenester for norske studenter
[…] har også laget en proof of concept tjeneste, som kobler Feide-løsningen til OpenID, som NRK snart skal tilby. Dette gjør at alle studenter og ansatte kan benytte sin universitetskonto som OpenID mot alle […]
Second level domain (SLD) is what you called «normal domain name» (as ‘example’ in example.com.
Two letter SLD domain names are reserved by IANA/ICANN. For historical purposes you will find some such names, but you will not be able to register new two letter names in any gTLD (generic TLD, like .com, .net, .org,…).
Two letter names are reserved for country codes (ISO3166-1 alpha-2) and other purposes, as SLD names.
The text goes like this: «All two-character labels shall be initially reserved. The reservation of a two-character label string shall be released to the extent that the Registry Operator reaches agreement with the government and country-code manager, or the ISO 3166 maintenance agency, whichever appropriate.The Registry Operator may also propose release of these reservations based on its implementation of measures to avoid confusion with the corresponding country codes.»
You can check each ICANN/TLD agreements here: icann.org/en/registries/agreements.htm
For example this one: icann.org/en/tlds/agreements/unsponsored/registry-agmt-appk-26apr01.htm
Hvordan har så NRK tenkt å sikre ens ID ?
Eller er dette et rent student-prosjekt?
Sorry, wrong language and no delete-button :
How are you going around the security issues?
Britt, first of all, you can’t compare OpenID with Microsoft Passport. They are not alike in any way at all. They are different in just about every way. Passport was owned by a proprietary vendor, was closed source, had to be licensed for a lot of money, required a DNA to develop to, locked users into Microsoft’s service was not compatible with any open source licenses in existence.
OpenID is as secure as the servers you use them on. If the provider is insecure, your OpenID is insecure. If the relying party is insecure, your OpenID might be exploited on that particular website. Since you haven’t shared any credentials with the relying party, it can’t abuse your identity for anything but its own service. With OpenID, you are reducing your online credential attack surface, especially if you’re using a highly secure provider like MyOpenID.
I’d much rather leave my credentials in a place that uses a strong SSL-encrypted connection with 1024-bit client certificate-based authentication rather than a username and password served over an unencrypted HTTP request to a flimsey blog or whatnot. When that blog’s user database is cracked open and the crackers have my username and password, they can log in to just about any other web site out there sharing the same username and password. Don’t tell me all web users are using unique usernames and passwords across the hundreds of web sites they authenticate with every day, because you and I both know that’s not the case.
@ Asbjørn Ulsberg
I did not compare MSPasspord with OpenID.
I said it was crap. Single signon on public internet is (so fare) crap. 🙂 (But MSPassword particular).
The security issues with OpenID is not related to the «server you use it», but to the fact that it is an application level security, and lightweight by nature. OpenID was not designed for anything else than that.
For security, any security, you never, ever, put trust on relays – you need a secure protocol which does not permit intermediates to interfere. You will even never know who the relays are. MyOpenID has nothing to add, in terms of security. It is just yet another provider.
The secure socket level encryption is needed (as I wrote above) but that is not related to OpenID only. You can use SSL for any session negotiation, any application.
A normal web browser has identity management, so you do not need to remember your hundreds different usernames. Good thing is that, your browser can keep track of this, and you do not need to remember this 🙂
OpenID is a good concept. But not for single signon.
And only for lightweight security where an exposure does not do lots of harm.
But it does open up for pishing and ID-theft atacks.
A last thing, which is related to single signon in general, but OpenID in particular, is that your ID-provider keep logging all your movements on internet. This is a grandiose privacy threat, and which is even not addressed here. You should think the privacy issues related to tracing peoples movement, as it is done by any kond of single signon.
Else, for the OpenID security problems, I suggest you read the mailing lists related to this topic. I did follow OpenID sec mailing-list for more that a year, and do not think any news have happened. DNSSec will not solve all problems, BTW.
OpenID is fine, but for what it was designed to do. Nothing else.
What I did ask was; how do you address the underlying security threats, and how do you garantee privacy with OpenID?
(as this is not solved …)
Britt, neither I nor anyone else I’ve ever heard speak about OpenID claims that it is a silver bullet for online authentication. It does what it does, just as you say, and it does it efficiently in an openly standardized way, interoperable to everyone who wants to participate in the ecosystem.
Not a single authentication system in existence, including the horrendous BankID employed by Norwegian banks, is free of security threats. Most of them are in fact plagued by the exact same threats as OpenID, specifically with regard to MITM-attacks on DNS. OpenID does not solve this and neither does any other authentication system I know of.
Nobody can with 100% confidence guarantee 100% privacy. All software ever written contains bugs. Bugs may lead to security issues exposing the system to attacks. Unless you require physical appearance and a full DNA- and biometric profile of the person trying to log in to your system, it’s going to have potential security issues. Even biometric scanners have been spoofed with nothing more than gummy bears.
You get away with the DNS-based attacks if you do in-bound and local authentication, but with that you’re open to a range of other serious threats, especially if you’re storing the credentials in the all too common phpBB database or something similar.
If you have a solution that fixes all of the underlying issues of OpenID and at the same time is not affected by any of the security risks involved, I believe the entire Internet is all ears to what you have to say. I don’t believe that this is the case, however. What I do belive is that no matter which authentication scheme you choose, you are going to face security threats one way or the other and you have to balance off these threats against the functionality the scheme is offering.
Now there is even a specification answering almost all of the issues you enlist, Britt. OpenID PAPE will mitigate the MITM and DNS spoofing attacks as well as a range of other attack vectors. If you have any comments about it, I am more than confident the OpenID community would like to hear about it.
Let’s stick to the topic and not move focus to person. The topic is OpenID and security related to OpenID. We are not talking about banking security (which needs and uses higher level of security).
As a side note, your link is to an old draft (several newer drafts have come out later).
To use OpenID you need to build security around it (SSL is also mentioned in OpenID’s documents).
If you use this, you don’t need to use OpenID – but you use OpenID for obtaining single signon. And single signon is a controversial issue:
While it (single signon) within a (closed) group is highly beneficial (for example within a company or a closed community), single signon used widely on public internet is a treat for privacy. You can read about for example here: «The problem(s) with OpenID».
idcorner.org/2007/08/22/the-problems-with-openid/ and evan.prodromou.name/OpenID_Privacy_Concerns .
Of course you can have several OpenID’s. But then is it easier to let the browser mange the usernames and password you use, for different service-providers.
On the other issues you bring up; yes there are situations were privacy has to be guaranteed and there are other security mechanism. Spoofing is one of the easiest things to prevent – but again, let’s stick to the topic.
If you want to bring in other issues, please be specific, as well as odd remarks as «the entire Internet is all ears» does not give credit… 😉
Not that it matters but I am not a novice on the topics in question.
NRKbeta tester Facebook Connect
[…] merke til at du kan bruke OpenID til å logge inn med. NRK skal støtte OpenID på både den ene og den andre måten. Og vi har begynt å bruke det her på NRKbeta […]
Heisann. Hvordan er erfaringen med OpenID? På tide å følge opp med en artikkel for oss som er interessert i dette og ikke nødvendigvis hva som er det nyeste innen DSLR’er?
Her er i så fall litt nyttig lesning for å sparke igang debatten igjen: rmzlablog.blogspot.com/2009/01/has-openid-lost-its-mojo.html
I sincerely hope that NRK will come up with a very solid story and basis for actually becoming an OpenID identity provider. There are lot of implications from such an effort. You need to come up with a story that I can believe in, at the moment I have serious doubt that it will give any value at all. I think it will have negative consequences.
OpenID has more identity providers than actual services where you can use your ID … that’s what it looks like today.
Øyvind Solstad :»Many users have a tendency of using the same password everywhere, which means they have to change that same password everywhere if they want to change the password. OpenID changes that. One logon – one password.»
One login and one password is the devil. That means if that single identity is stole, anyone can access my whole digital life. If I’m stupid enough to use OpenID for anything other than blog posts, the identity thief can potentially read my e-mail, download my documents, spam my friends and generally create problems for me.
You don’t fix the problem with individuals using same password everywhere by creating an OpenID eco-system with many identify providers, none of which you have any idea you can trust (which I think is where NRK wants to come in and be a «trusting partner»).
There are serious privacy and security issues related to OpenID and I’m not convinced yet.
Local computer password managers are currently a much better (secure) solution and different password for different services ensures you won’t be hit too hard when trouble happens.
The ideal solution would simply be: *.id.no
Where the * would be johnsmith so the full id would be: johnsmith.id.no
Unfortunately some squatter is currently sitting on id.no
which is a huge shame as id.no would be «neutral» as far as a name goes. I assume that NRK would like to provide openid to all citizens, so a neutral (and short) domain like id.no would be ideal, and would not have any issues if NRK decided to co-run or even hand it over to the government or a neutral organization in the future once it’s more established and bigger.
Although who knows, maybe whomever holds id.no might be willing to hand it over «at cost» only. (yeah right, greedy bastards all those squatters)
In any case, a neutral domain would be best as that would make it more broadly useable. Although: *.id.nrk.no is not that bad it «is» longer, and looks NRK explicit which I’m sure is not the actual intention.
A neutral domain for this might even allow for some government funding once it really starts to take off.
Nrk goes «facebook id»
You have a way with words Krunk, and you seem good at necroing threads.
But thanks for bringing this to my attention.
In the thread you are referencing they also mention they will make version 0.2 of the TVTalk app work with openID (In a reference to my posts accualy).
But the whole openID provider project seems to have died off abit, maybe this will get it going again?
You really should work more on your eloquence thu 😉
But you be the whip, and Ill be the carrot!
Øyvind Solstad (NRK)
@Krunk: You’re entitled to your own opinions on all our projects and articles. But you are very close to the limit in terms of what is ok to say here. Start behaving when posting comments or your comments will be deleted. Without further warning.
@drone: Yes, you’re right, the OpenID project has been slow and I’m not sure why. I’ll try to find some info.