Chris Messina on OpenID: the unseen branded revenue opportunity:
What better way to both support Creative Commons and show off your patronage than by identifying yourself across the web with your very own unique, secure, privacy-protecting creativecommons.net OpenID (just like Zach Beauvais)?
For a mere $50 minimum donation ($25 for students), you can own a limited edition URL and profile from Creative Commons that identifies you to the world and provides a compelling revenue opportunity for the non-profit foundation.
While companies like SAP become OpenID providers for pedestrian reasons like simplifying authentication across their many different distributed web properties, Creative Commons is redistributing the brand equity and social capital their members have accrued over the last several years by letting people show and verify their affiliation to the organization.
With this simple example, we can start to see the symbiosis of making an intentional choice about identity: Creative Commons finds a new revenue opportunity and members of the community have a way to express their affiliation and promote the brand.
Perfectly explained. Do read the whole post, including the part where Messina calls CC Network “a truly inspirational approach”. Thanks Chris!
Also see Read Write Web’s take on CC Network, following up on Messina’s post.
CC Network also has other features that complement its identity and affiliation stories — see our posts from last fall launching the service, explaining our technical approach to CC Network’s OpenID security, and CC Network and web-centric copyright registries. On the last, see our CTO Nathan Yergler’s recent update from the third CC technology summit.5 Comments »
Last month we rolled out a brand new look for CC’s homepage, and promised that other changes would follow. Staying true to our word, we now invite you to check out our redesigned wiki, which boasts a much sleeker and more user-friendly interface and look. The wiki is home to the CC Case Studies project, upcoming event information, resources for software developers, and much more.
The wiki is designed to get you involved and collaborating with us; anyone with an account or an OpenID can login and add to certain pages. If you’re a member of the CC Network, your profile acts as an OpenID. Not yet a member? Support the work of Creative Commons and join the CC Network today to get an OpenID!
We need your contributions to continue developing this wiki into a valuable community resource, so check out the Getting Started page and jump right in!1 Comment »
One of the key benefits of becoming a Creative Commons Network member is the OpenID login feature. In this blog post, we’ll cover the basics of OpenID and why having a Creative Commons Network OpenID is particularly interesting to users who care about their privacy. We’ll also point out the risks of using OpenID and how you can mitigate them.
OpenID and Password Insanity
By now, even casual web users are encountering password fatigue. Though it isn’t ideal from a security standpoint, it becomes necessary to reuse passwords across sites when possible. One increasingly popular alternative to this password insanity is OpenID. With OpenID, a user creates an OpenID account at one of many available OpenID providers, e.g. http://creativecommons.net/. The user is then assigned an OpenID URL, e.g. http://creativecommons.net/ben. Then, when logging into a web site that supports OpenID, the user simply submits his OpenID URL, is automatically redirected to his OpenID provider where he logs in with his one OpenID account, and is finally redirected back to the original site, automatically logged in. One OpenID account lets you log in to any web site that supports OpenID logins.
There is always a risk to centralizing significant security information in one place: the place of centralization becomes an attractive target for attackers. Beyond that, there are some risks specific to OpenID given the current state of the Web:
- Users are required to place significant trust in their OpenID provider. An OpenID provider can trivially impersonate any of its users to any web site it chooses. In other words, it’s important to choose an OpenID provider you trust.
- When OpenID URLs are not protected by SSL, OpenID is vulnerable to various kinds of DNS attacks, which, as we know from recent developments in DNS security, are significantly more realistic than many realize.
- The OpenID protocol expects the relying party (i.e. the site to which the user is logging in) to redirect the user to her OpenID provider, when the relying party may not always be trustworthy. As a result, a number of security experts believe that OpenID increases the risk (and improves the efficacy) of phishing attacks against OpenID users. This is particularly relevant when the OpenID provider provides password-based authentication, which is the case for most OpenID providers. This can be mitigated by using a browser extension such as Verisign’s OpenID Seatbelt which takes you directly to your provider and providers a visual indication that the page you’re on is indeed the page where your password can be safely entered.
- An OpenID provider is involved in every act of authentication that its users perform. This has significant privacy implications, as the OpenID provider can easily determine its users’ Internet usage patterns. This private data might be leaked if a security breach occurs, or if the OpenID provider is subpoenaed for information.
Mitigating OpenID Risks
We believe that Creative Commons is well positioned to provide trustworthy OpenID functionality. That said, we only recommend that you use Creative Commons as an OpenID provider if you do indeed trust Creative Commons.
To address the remaining risks, Creative Commons has made the following design decisions in its implementation of OpenID:
- Creative Commons profile URLs are only served over SSL — any request over plain HTTP is redirected over SSL. We recommend looking at your address bar to make sure you’re connected over SSL when logging into web sites with your profile.
- Creative Commons strongly recommends that you verify the URL that you are visiting before you enter your Creative Commons Network password. We have also taken care to ensure that you need not enter your password repetitively when visiting sites you already trust. Thus, by reducing the number of situations where users are expected to enter a password, we hope that users will be more vigilant on those few occasions where a password is requested.
- Creative Commons commits to keeping only minimal and recent logging information about its users’ authentication activities, and to never share this logging information (except in cases where we are legally required to do so.) Thus, if a breach occurs, attackers will have only minimal data about our users’ Internet habits.
As always, we welcome all comments, and we hope you’ll find Creative Commons’s support of OpenID a useful service!Comments Off