OpenID

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenID

Jan Kucera
Hi there,

what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...

Jan

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Sebastian Moleski
On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera <[hidden email]> wrote:
> what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...

I've looked at OpenID a couple of times and I'm still unsure of the
benefits it really brings. Where lies the virtue of a centralized
login across many sites that have nothing in common?

Sebastian

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Amir Elisha Aharoni
On Sun, Oct 5, 2008 at 3:23 PM, Sebastian Moleski <[hidden email]> wrote:
> On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera <[hidden email]> wrote:
>> what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
>
> I've looked at OpenID a couple of times and I'm still unsure of the
> benefits it really brings. Where lies the virtue of a centralized
> login across many sites that have nothing in common?

Russian-speaking Wikipedians will enjoy it, because LiveJournal, which
uses OpenID, is unbelievably popular among Russian speakers.

I can't see any important advantage except that, but i might be wrong.

--
Amir Elisha Aharoni

heb: http://haharoni.wordpress.com | eng: http://aharoni.wordpress.com
cat: http://aprenent.wordpress.com | rus: http://amire80.livejournal.com

"We're living in pieces,
 I want to live in peace." - T. Moore

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Bryan Tong Minh
In reply to this post by Sebastian Moleski
On Sun, Oct 5, 2008 at 3:23 PM, Sebastian Moleski <[hidden email]> wrote:
> On Sun, Oct 5, 2008 at 3:15 PM, Jan Kucera <[hidden email]> wrote:
>> what about implementing OpenID accross some Wikimedia projects? I know this might be rather "political" than "technical" decision, but I think it would bring only positives. I tried to bring it up on Metapub and Village pump, but quite little interest was showed...
>
> I've looked at OpenID a couple of times and I'm still unsure of the
> benefits it really brings. Where lies the virtue of a centralized
> login across many sites that have nothing in common?
>
> Sebastian
>
Instead of logging to to Wikimedia with a foreign OpenID, I would
rather like to see Wikimedia become an OpenID provider, so that I can
login to other sites with a .wikimedia.org OpenID :)

There is an open bug for it and also some code in SVN.


Bryan

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Sebastian Moleski
On Sun, Oct 5, 2008 at 3:35 PM, Bryan Tong Minh
<[hidden email]> wrote:
> Instead of logging to to Wikimedia with a foreign OpenID, I would
> rather like to see Wikimedia become an OpenID provider, so that I can
> login to other sites with a .wikimedia.org OpenID :)

I understand *what* people want to do with it. What I don't understand
is *why. What benefit does OpenID provide over just registering with
your usual user name and password at any site? If there's an
advantage, it would make sense to find some resources to implement
this ability. But without some clarity on that, it's rather difficult
to justify spending time on that. So what's your hope for what
enabling OpenID will accomplish?

Sebastian

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Nikola Smolenski
On Sunday 05 October 2008 15:39:29 Sebastian Moleski wrote:

> On Sun, Oct 5, 2008 at 3:35 PM, Bryan Tong Minh
>
> <[hidden email]> wrote:
> > Instead of logging to to Wikimedia with a foreign OpenID, I would
> > rather like to see Wikimedia become an OpenID provider, so that I can
> > login to other sites with a .wikimedia.org OpenID :)
>
> I understand *what* people want to do with it. What I don't understand
> is *why. What benefit does OpenID provide over just registering with
> your usual user name and password at any site? If there's an

People don't like registering at websites. If Wikimedia projects would use
OpenID, they would attract users they otherwise wouldn't have.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

David Gerard-2
2008/10/5 Nikola Smolenski <[hidden email]>:
> On Sunday 05 October 2008 15:39:29 Sebastian Moleski wrote:

>> I understand *what* people want to do with it. What I don't understand
>> is *why. What benefit does OpenID provide over just registering with
>> your usual user name and password at any site? If there's an

> People don't like registering at websites. If Wikimedia projects would use
> OpenID, they would attract users they otherwise wouldn't have.


And a lot of "anons" would be a lot more identifiable.

Creating logins on 100 websites is a pain in the backside and one of
the reasons we allow anon editing - it lures people in.


- d.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Bugzilla from mark@geekhive.net
In reply to this post by Sebastian Moleski
Sebastian Moleski wrote:
> I understand *what* people want to do with it. What I don't understand
> is *why. What benefit does OpenID provide over just registering with
> your usual user name and password at any site?

Using the same credentials on more than one site is gambling with your
security.  Basically anybody you share your secret password with can access
all of your accounts everywhere if they want to.

With OpenID only the provider ever sees your credential.  OpenID provides a
method by which the provider can vouch for you having correctly provided
your credentials without having to give them to the other site.

> If there's an advantage, it would make sense to find some resources to
> implement this ability.

The module has existed for several years. The implementation cost should be
fairly small.


--
--
=================================================================
-- mark at geekhive dot net --

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Jan Kucera
> > If there's an advantage, it would make sense to find some resources to
> > implement this ability.
>
> The module has existed for several years. The implementation cost should be
> fairly small.

So let us do it. OpenID will be critical for the web, Wikimedia as one of Internets TOP10 sites should not be behind and should take the advantage of being OpenID provider. It will attract new users and make everything easier I think.

Jan

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Jonathan Leybovich
In reply to this post by Jan Kucera
Sebastian Moleski wrote:

> I understand *what* people want to do with it. What I don't understand
> is *why. What benefit does OpenID provide over just registering with
> your usual user name and password at any site?

Besides the advantages others have cited (improved security, usability, etc.) OpenID offers the best way to give liquidity to the credentials I have earned as a Wikipedia editor.  It would be relatively easy for any website to confirm I am an expert in pre-vertebrate paleontology, for example, by cross-referencing my user id with my edit history.  The only missing ingredient is being able to confirm that when I come to a site claiming to be User:XYZ I am in fact User:XYZ .



     

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Jan Kucera
> user id with my edit history.  The only missing ingredient is being able to
> confirm that when I come to a site claiming to be User:XYZ I am in fact User:XYZ

Of course the identity remains 100% virtual. OpenIDs goal is not to make you "trusted", but to centralize authentication.

Jan

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Marco Schuster-2
In reply to this post by Bugzilla from mark@geekhive.net
2008/10/5 Mark <[hidden email]>

> Sebastian Moleski wrote:
> > I understand *what* people want to do with it. What I don't understand
> > is *why. What benefit does OpenID provide over just registering with
> > your usual user name and password at any site?
>
> Using the same credentials on more than one site is gambling with your
> security.  Basically anybody you share your secret password with can access
> all of your accounts everywhere if they want to.
>
Only if you use the same password for everything - what many people do
actually...because it's a PITA to keep e.g. KeePass databases synchronized
across maybe two computers and a PDA.

Marco
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Thomas Dalton
> Only if you use the same password for everything - what many people do
> actually...because it's a PITA to keep e.g. KeePass databases synchronized
> across maybe two computers and a PDA.

I've never bothered myself, but you can improve security by mangling
the domain name into your password for each site. That allows you to
work out the passwords rather than keep a database of them.

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Marco Schuster-2
Which becomes a problem if sites don't allow passwords larger than 10 to 15
chars (as if they couldn't make a MD5/SHA1 out of it...) :(

Marco

2008/10/6 Thomas Dalton <[hidden email]>

> > Only if you use the same password for everything - what many people do
> > actually...because it's a PITA to keep e.g. KeePass databases
> synchronized
> > across maybe two computers and a PDA.
>
> I've never bothered myself, but you can improve security by mangling
> the domain name into your password for each site. That allows you to
> work out the passwords rather than keep a database of them.
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Lane, Ryan
> Which becomes a problem if sites don't allow passwords larger
> than 10 to 15
> chars (as if they couldn't make a MD5/SHA1 out of it...) :(
>

Or sites that force you to have a password between a short range of
characters (6-10? Really?), or sites that don't allow special
characters, or sites that only allow alpha-numberic. I have no clue why
some sites force you to use less secure passwords, but it drives me
insane. Password management on the web is in a terrible state.

OpenID isn't without it's share of security issues, but I think it at
least solves the password issue; I can't wait until I can use my gmail
OpenID everywhere ;).

V/r,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Thomas Dalton
In reply to this post by Marco Schuster-2
2008/10/6 Marco Schuster <[hidden email]>:
> Which becomes a problem if sites don't allow passwords larger than 10 to 15
> chars (as if they couldn't make a MD5/SHA1 out of it...) :(

How about a standard 5 character alphanumeric password concatenated
with the first 5 characters of the domain name encoded with ROT13?
That should be accepted by any site and is pretty secure (it would be
good to include symbols in there, but some sites don't accept them,
and you may want some better mangling than just ROT13).

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Katie Chan
On Mon, 2008-10-06 at 15:18 +0100, Thomas Dalton wrote:
> 2008/10/6 Marco Schuster <[hidden email]>:
> > Which becomes a problem if sites don't allow passwords larger than 10 to 15
> > chars (as if they couldn't make a MD5/SHA1 out of it...) :(
>
> How about a standard 5 character alphanumeric password concatenated
> with the first 5 characters of the domain name encoded with ROT13?
> That should be accepted by any site and is pretty secure (it would be
> good to include symbols in there, but some sites don't accept them,
> and you may want some better mangling than just ROT13).

Easy enough for any modern PC to brute force if the one know you are
using such scheme. 36^5 isn't that many combination...

KTC

--
Experience is a good school but the fees are high.
  - Heinrich Heine

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Thomas Dalton
2008/10/6 Kwan Ting Chan <[hidden email]>:

> On Mon, 2008-10-06 at 15:18 +0100, Thomas Dalton wrote:
>> 2008/10/6 Marco Schuster <[hidden email]>:
>> > Which becomes a problem if sites don't allow passwords larger than 10 to 15
>> > chars (as if they couldn't make a MD5/SHA1 out of it...) :(
>>
>> How about a standard 5 character alphanumeric password concatenated
>> with the first 5 characters of the domain name encoded with ROT13?
>> That should be accepted by any site and is pretty secure (it would be
>> good to include symbols in there, but some sites don't accept them,
>> and you may want some better mangling than just ROT13).
>
> Easy enough for any modern PC to brute force if the one know you are
> using such scheme. 36^5 isn't that many combination...

Yes, knowing half the password in advance will make it easier to
crack, that's very true. I was working under the assumption that you
don't go around telling people your method of producing passwords...

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Marco Schuster-2
In reply to this post by Lane, Ryan
2008/10/6 Lane, Ryan <[hidden email]>

> Or sites that force you to have a password between a short range of
> characters (6-10? Really?), or sites that don't allow special
> characters, or sites that only allow alpha-numberic. I have no clue why
> some sites force you to use less secure passwords, but it drives me
> insane. Password management on the web is in a terrible state.

The worst example I ever met was a web forum which allowed maximum five
characters (and my bank...for hell, why doesn't the web interface accept 20
chars long passwords - we are talking about money here!)

>
>
> OpenID isn't without it's share of security issues, but I think it at
> least solves the password issue; I can't wait until I can use my gmail
> OpenID everywhere ;).
>
> GMail has OpenID?!

Marco
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: OpenID

Lane, Ryan
> > OpenID isn't without it's share of security issues, but I
> think it at
> > least solves the password issue; I can't wait until I can
> use my gmail
> > OpenID everywhere ;).
> >

> GMail has OpenID?!

Yep, you can use google as an OpenID provider, yes. They don't advertise
it, except for use on blogger. I use it on my personal blog though.

V/r,

Ryan Lane

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
12