-
Notifications
You must be signed in to change notification settings - Fork 0
OpenID
As of July 2013, OpenID appears to be all but dead.
While Google at one time strongly supported the initiative, and they do act as a widely trusted OpenID provider, they are unwilling to act as a relying party for any other provider.
An OpenID provider could protect anonymity by giving each relying party anonymous data. For example, giving a [unique, untraceable email address](Anonymous Email Service) when requested, and "Anonymous Coward/123 main street/Blue Sky, WY" for name and address. If everyone gave the same bogus info, it's tracking value would be nil.
The most obvious solution to me is simply to use client certificates for authentication, but only myOpenID seems to offer this. Even if OpenID is never widely deployed, phishing in general is stopped dead by using client certificates. If everyone used certs instead of passwords, the phishers would have to refocus their efforts on subverting the PKI.
I see two technical issues and one social issue blocking the widespread use of client certificates:
- The current state of the root CAs is an abominable mess.
- The UI for installing, using, and trusting certificates is abominable.
- You are far more traceable with a client cert, because the authentication can be made nearly invisible. (Or would it? Only the origin server can see your cert, because you would pin it to a particular server cert.) OpenID could help address by allowing the end user to choose a provider who cares about privacy/anonymity.
What have Google, Yahoo, Twitter, LinkedIn, et. al. done to address the phishing exploit?