OpenID

March 5, 2007

ongoing wrote:

OpenID

The buzz around OpenID is becoming impossible to ignore. If you don’t know why, check out How To Use OpenID, a screencast by Simon Willison. As it’s used now (unless I’m missing something) OpenID seems pretty useless, but with only a little work (unless I’m missing something) it could be very useful indeed.

Problem: TLS

The first problem is that OpenID doesn’t require the use of TLS (what’s behind URIs that begin with https:). Doing anything remotely connected with authentication over an unencrypted link where you can’t be sure who you’re talking to seems all wrong to me. I see that this subject is under discussion (here and here) in the community.

The fact that apparently-sane people think it might sometimes be OK to not use TLS makes me think there’s something obvious I’m missing. In Simon’s screencast, the pages that you type your OpenID into are unsecured; hmmm.

Problem: What’s It Mean?

Another problem with OpenID is that, well, having one doesn’t mean very much; just that you can verify that some server somewhere says it believes that the person operating the browser owns that ID.

Unless I’m missing something, as a thought experiment I could set up a bogus OpenID server at http://www.tbray.org/silly-id/, and arrange that when queried about any OpenID whatsoever beginning with that URI, it instantly provided a positive response. For example, http://www.tbray.org/silly-id/BillGates or http://www.tbray.org/sill-id/PopeBenedictXVI. None of that nasty time-consuming authentication stuff; sure would speed up logging into OpenID-supporting sites.

Problem: Phishing

This is going to be a problem, but I don’t think it’s fair to hang it on OpenID, because it’s going to be equally a problem with any browser-based authentication. Since browser-based authentication is What The People Want, we’re just going to have to fight through this with a combination of browser engineering and (more important) educating the general public.

What Could I Use It For Today?

Here’s what I think I’d be willing to do: in the commenting system here at ongoing, I’d be inclined, if I had manually approved a comment with someone who’d authenticated via OpenID, to subsequently accept further comments from that OpenID, unmoderated.

I can’t think of anything else.

Solution: TLS

Just Do It. Create a culture where traffic is simply expected to be encrypted and secure for each step in the authentication chain. If there’s anything in the protocol that makes this hard, fix it. Yes, anyone offering authentication services will have to own and manage a cert. That is the entry-level price for me taking you seriously.

Solution: Meaning Something

I haven’t actually heard anyone argue that all OpenIDs should be considered equal to all others, which is good, because that would be a profoundly silly idea.

For some given application, I might be willing to support LiveJournal OpenIDs but not those from MyOpenID; or vice versa. There might be an opportunity for some sort of independent-security-audit business, rating quality of OpenID providers. Bruce Schneier, where are you?

Once again, maybe I’m missing something, but it seems obvious that if OpenID is ever going to be much use for real work in applications that matters, there are going to be whitelists of ID Providers. Does anyone see this as a problem? If not, all the libraries out there Ruby and Python and PHP and so on need to have the provider-whitelist feature built in.

The Real Problem

Of course, out there in the enterprise space where most of Sun’s customers live, they think about identity problems at an entirely different level. Single-sign-on seems like a little and not terribly interesting piece of the problem. They lose sleep at night over “Attribute Exchange”; once you have an identity, who is allowed to hold what pieces of information about you, and what are the right protocols by which they may be requested, authorized, and delivered? The technology is tough, but the policy issues are mind-boggling.

So at the moment I suspect that OpenID isn’t that interesting to those people. But Web-heads like me care about Plain Old Single Sign-on, and we like identifying ourselves by URI. So OpenID might scratch a pretty big itch.

Unless I’m missing something. The reason I keep saying that is that I really am an Identity newbie. I’m sure my commenters will be diligent in pointing out where I’ve gone off the rails.

From FF Browser

February 2, 2007

Post from FF Browser

Test

February 2, 2007

sdftdfgdfgfgdfgdfgdfdfgdfgdfg

sdfshflsdfuisdofsdlfdgdfgdfgdfgdgdfgdfgdfgdfgdf

Hello

February 2, 2007


dg

ongoing wrote:

Life Is Complicated

My goodness, even CNN picked up the story about Microsoft trying to retain Rick Jelliffe to update the Wikipedia articles on ODF and OOXML for them, just as the ISO process around OOXML is getting in gear. This raises complicated issues about document formats and transparency and conflict of interest; and there’s at least one elephant in the room.

Editing Wikipedia

This news noise prompted me to check out the relevant Wikipedia guidelines, on Autobiography and Conflict of Interest. I confess to never having read them previously, and now I feel bad, because I’ve edited my own entry a couple of times (contributing a picture is OK they say, but I’ve fixed some broken grammar and minor factual errors, which isn’t).

Worse, I’ve done a lot of editing on the Sun entry. In my defense, when I first went to work it was a disorganized, ungrammatical mess, and I’ve always edited while signed in, so it’s been transparent (if it were up to me, signing in would be a requirement for all editing). So I guess I’ll have to do any further contributing via the Discussion page. Which is OK, since I’ve noticed the editing standard has picked up recently on this page and my services are probably superfluous.

So if Microsoft thinks the articles on OOXML and ODF are inaccurate (haven’t read them in ages, I have no opinion) I think they should have someone smart, reasonable, open-minded, and from Microsoft go pitch in on the discussion page and have the necessary arguments and work out a compromise that gets the NPOV (“Neutral Point Of View”) nod from the community, and based on my experience, the result will be good.

But let’s ascend from the meta level to the document-format issues themselves.

ODF and OOXML

I was really impressed with the collaborative effort at Groklaw to give the OOXML ECMA document a thorough going-over. The objections document is interesting; valuable work, but I don’t think they turned up much that wasn’t already known.

Having said that, I still think OOXML is totally bogus; ECMA shouldn’t have gone near it and neither should ISO. The world does not need two ways to say “This paragraph is in 12-point Arial with 1.2em leading and ragged-right justification”. As I argued in 2005, if you want to capture MS-Office-specific semantics (not a bad thing in principle) the right way to do it is a namespaced layer on top of ODF.

The Elephant in the Room

[Disclosure: Rick Jelliffe has been a colleague and personal friend for at least fifteen years.] I’m a little irritated at Rick just at the moment; he’s been writing regularly over at his (excellent) O’Reilly blog about ODF and OOXML, and is resolutely ignoring the elephant in the room: the reasons that ODF and OOXML exist, and the motivations behind standardizing them. This is weird because Rick’s been doing publishing technology for a living for decades and knows these issues as well as anyone in the world. Rick’s opinion matters, because he is an “invited expert” (non-voting) member of ISO SC34, the committee that recently approved ODF and will soon be deciding whether to approve OOXML.

Let’s be blunt: ODF was standardized for both idealistic and commercial reasons. Both are easy to understand: Idealists want information to be as free as its creator wants to make it, long-lived, and re-usable. Commercially, ODF is a straightforward attempt to crack open the Microsoft lock on the business desktop and allow office-suite competition to start happening. Wait, that’s kind of idealistic too, if you believe in the benefits of free markets.

OOXML was standardized defensively because Microsoft was worried that the standardization of ODF might achieve its commercial goals, and Microsoft’s lock on the office-suite market is worth some eight billion dollars of monopoly profits (as in $8B on $11B of revenue; jeepers!) each fiscal year.

You might be able to conduct an cool-headed objective dialogue about the relative technical merits of these formats without considering the issues of freedom on the one hand and billions of dollars of commercial impact on the other, but I can’t.

What do you think about all this, Rick?

[Disclosure/Historical footnote: Those with long memories might suggest a parallel between Rick’s position and mine when in 1997, I was sitting on the XML Working Group and co-editing the spec, on a pro bono basis as an indie consultant. Netscape hired me to represent their interests, and when I announced this, controversy ensued. Which is a nice way of saying that Microsoft went berserk; tried unsuccessfully to get me fired as co-editor, and then launched a vicious, deeply personal extended attack in which they tried to destroy my career and took lethal action against a small struggling company because my wife worked there. It was a sideshow of a sideshow of the great campaign to bury Netscape and I’m sure the executives have forgotten; but I haven’t. Anyhow, I thought I had to point that out first before somebody else dredged it up, but I totally don’t think Rick’s status played in this story and I’m also 100% confident of his integrity.]

Quote WordPress

February 1, 2007

Quoted from http://10.192.37.25:85/mt/posts/Del5/2007/01/test_office_2007.html:

Del5: test office 2007

smail : Let’s Rock,debojieet,Vinit

Lakhwinder Kaur wrote:

test office 2007

From:                              Lakhwinder Kaur [lkaur@adobe.com]

Sent:                               Wednesday, January 10, 2007 11:10 AM

To:                                   Lakhwinder Kaur

Subject:                          test office 2007

Attachments:                 image003.jpg; image004.gif; Family Trip.swf

Welcome You to Testing Post to Blog.

This Bold and Italic and Bold Italic

You can see numbers 1234567890

You can see Special characters – ,.,..\|}{}{[][][~`>!@##$%^&*()__+>,.,..\|}{}{[][][~`>,.,..\|}{}{[][][~`”

You can also see table

“>,.,..\|}{}{[][][~` “>,.,..\|}{}{[][][~`

R1C1

R1C2

R1C3

R2C1

R2c2

R2c3

You can see Image

http://sritama.wordpress.com/2007/01/10/allow-tb-1/

http://sritama.wordpress.com/2007/01/10/allow-tb-2/

http://sritama.wordpress.com/2007/01/10/allow-tb-3/

http://sritama.wordpress.com/2007/01/10/allow-tb-4/

Just Testing

ffssfsfdsfdsfdsfgwfsgfxsfsfsd

Allow Tb 3

January 10, 2007

adfsdfsdfsdf

Allow TB 22

January 10, 2007

fsfsdfsdfsdfsdf