	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New Open Source Single Sign-On System: OpenID

To: Kyle Mulka <mulka@xxxxxxxxx>
Subject: Re: New Open Source Single Sign-On System: OpenID
From: Mark Montague <markmont@xxxxxxxxx>
Date: Wed, 3 Aug 2005 10:40:41 -0400 (EDT)
Cc: cosign-discuss@xxxxxxxxx
In-reply-to: <42F03C2C.6090208@umich.edu>
References: <42F03C2C.6090208@umich.edu>

On Tue, 2 Aug 2005, Kyle Mulka wrote:

Just thought I would make you all aware of another open source single sign-on system in development. http://www.livejournal.com currently uses it.
It is called OpenID and is explained here:
http://openid.net/


[ Disclaimer: I'm at UofM but I'm don't work for the same people that the
cosign development team works for.  I'm mostly just a user of cosign. ]

Actually, as the web site says, this is a decentralized identity
system, not a single-sign-on system.  You do have to log in for
each host you visit, although you do so with just your URL instead
of a username/password pair.  I haven't looked at the protocol
in depth, so there may be other really significant differeces too.

The level of proof of identity is fairly low -- it just says whether
or not you "own" a URL, and so it's much closer to cosign's Friend
functionality than it is to cosign itself.  (cosign Friend just
assures you that the person who is visiting owned a particular
email address at the time their Friend password was set, or otherwise
got access to the password).  For non-Friend users, cosign will
verify passwords via Kerberos, or BasicAuth, and you can use KX.509
certs as an alternative to these, providing a much higher level
of protection (assuming that everyone trusts the weblogin server
and Kerberos server, of course).

Unlike cosign, OpenID will not actually get any Kerberos / GSSAPI
credentials for you.

The "real" alternative to cosign is Pubcookie, which is also
open source:  http://pubcookie.org/   cosign's principal
advantage over Pubcookie is that, unlike Pubcookie, cosign does
not use domain cookies and hence is more secure than Pubcookie.

Note that while cosign and Pubcookie are currently used mostly for
single-sign-on within a given institution, that both are capable
of operating with Shibboleth (http://shibboleth.internet2.edu/)
which permits inter-institutional identity management and trust
to be established.  (So, for example, a user at Stanford University
could access our cosign-enabled web services at the University
of Michigan by logging on to Stanford's single-sign-on system
which will then, via Shibboleth, let us know who he is and even
possible transfer credentials to us).

All of this is not intended to detract from OpenID in any way,
I just think that OpenID is a different sort of system than
cosign, and that it is intended for very different uses than
cosign.  And while OpenID looks great for leaving comments
on blogs, I'd want to review the spec thoroughly to be sure
it provides sufficient levels of authentication before trying
to use it to give people access to their email or files over
the web.

I'd welcome any discussion or feedback.  (And I hope I didn't
get too much wrong in this post).

                Mark Montague
                The University of Michigan
                markmont@xxxxxxxxx

Follow-Ups:
- Re: New Open Source Single Sign-On System: OpenID
  - From: Wesley Craig

References:
- New Open Source Single Sign-On System: OpenID
  - From: Kyle Mulka

Prev by Date: New Open Source Single Sign-On System: OpenID
Next by Date: Re[8]: discussion about our tabs
Previous by thread: New Open Source Single Sign-On System: OpenID
Next by thread: Re: New Open Source Single Sign-On System: OpenID
Index(es):
- Date
- Thread