Wednesday, February 13, 2008

Identity on the Net

Project Dune has a feature implementation pending with regards to logins through OpenID's. When you surf the net nowadays, every site you go to requires you to put your details in for registration. The objective of registration is to be able to verify the same details at a later time. The details are verified by a secret that you are telling in the process of registration (your password), which is stored securely at the site and of which both parties hope is a secret that is never shared with any other party.

Your registration however is further verified by adding a key that you only own: your email address. The registration site creates a temporary link with a complex url that is very hard to guess. You move to the url and thereby activate your account that you requested to set up earlier. From here on, you don't need to keep checking your email to be able to log in, you use the shared secret.

What most sites care about is authentication. Authentication is the process of verifying that someone who identified himself with some token at some point (your name or any other credential) is the same person that comes back another time and not somebody else. This is essentially what authentication means for sites that allow "semi" anonymous access (you register with your details, but the registration site never actually verifies your real identity. So what they check is not that you are who you say you are, but that you are the same person that made the initial registration).

OpenID attempts to simplify this a bit further. Rather than "registering" in the same method for each site that you may be on, you'll continue to see new sites popping up that claim to manage your identity online. Basically, this means a split of the registration process from the authentication process.

Remember how I said that many public sites don't care about who, in the context of real identity, is making a registration? They only care if they can reliably assume that it is the same person that actually registered before. So another site could authenticate on the site's behalf and then have the user call back to the originating site with the result of the authentication.

The authentication relies on the fact that the user now claims to own a url. For example, if I want to log on with OpenID on a forum site, I could claim I own:

Then the forum site tells me: "oh yeah? proof it!". So they redirect my browser to an authentication provider site "". The forum site passes in a return URL that is used to pass my browser back after the authentication claim. First, I need to fill in my secret that I have with my authentication provider. If I succeed, it is assumed I correctly own the URL. If it fails, my claim is invalid.

In both cases, I get redirected to the forum site. The forum site then analyzes the details and shows the results as they have programmed. There's another process there related with cookies and multiple redirects. So if you have already logged on with your OpenID, a cookie is stored in your session. Then for each site that you visit, you may be requested how long you wish to keep the cookie and the session. As you get redirected from one site to the other, the sites still redirect you to your authentication provider inbetween to re-verify the details. This process is called "single sign on".

Project Dune thus will start to use OpenID. The objective is to modify the project code to allow anonymous browsing for "the public". So you won't have the same abilities as users created through the system, but you can still browse issues and participate in those things that the administrators have indicated as allowable.

Now, consider the options here. Project Dune for example contains functionality for inspections. This means you could configure the software to allow people to participate in inspections of source code. How cool would it be to have anonymous users inspect your code online for certain changes and make remarks? The current method is mostly by sending email, but this way you just login, go to the source, open it up, add your comments and move in. You are identified by your OpenID, so you will in some way be traceable.

No comments: