Isak Savo writes about the daily edgy updates that have been appearing the past two weeks. You know there’s a problem with pushing out updates too often when the update icon on Edgy, supposedly the stable version, appears more frequently than the update icon for Feisty, the current development branch. This is starting to feel like windows automatic updates…I just want to turn it off.

How about aggregating non-critical updates and only pushing them out once a week or once every other week? I want to subscribe to the digest version of updates…

Updated Feisty today and after restarting (new kernel) and logging in, I was prompted with a balloon indicating that Ubuntu may be using restricted drivers. Clicking on the new tray icon in the notification area popped up the following window:

I like how it informs users in rather polite language that proprietary drivers are almost impossible for anyone but the driver’s vendor to support.

Perhaps it could contain a link to a list of equivalent hardware that is fully supported by open source drivers? Free marketing exposure for hardware vendors whose products offer open source drivers could help encourage more vendors to see the light.

Packages for Beryl 0.2.0 were released. After updating to them and restarting Beryl, my entire desktop was sluggish and a quick look at top indicated that Beryl was consuming most of the CPU. Deleting my old Beryl settings and restarting Beryl seemed to solve the problem:

rm -Rf ~/.beryl*

I am a huge fan of OpenID. My initial interest was piqued by the promise of no longer having to remember login credentials for dozens if not hundreds of websites. The security benefits of only having to protect one set of login credentials instead of many became quickly obvious thanks to an ebay hacker.

I must say, when I first heard about the use of URLs as identifiers, I was skeptical (and to some degree remain skeptical) that your average, not-an-early-adopter consumer will be willing to wrap her brain around the concept that a website address is sometimes also a username. To me, the most obvious identifier to use would have been the email address. Almost everyone on the internet has at least one and it is already associated with identity in everyday life.

I-Name Skeptic

I became increasing skeptical when I heard that as an alternative to URLs, an identifier called I-Names was also part of the OpenID spec. I-Names are XRI globally rooted at xri.net. This means one organization (a company in this case) has a monopoly on the issuance of I-Names.

We know from economics that monopoly suppliers have the incentive to create artificial scarcity and drive up prices. Yes, this means you have to pay for an I-Name. The going rate is about US$20 for an “individual I-Name” and US$55 for an “organization I-Name.” Wow! Someone must have a lot of confidence the market is going to buy into I-Names even given that OpenID URLs offer many of the same benefits at little or no cost beyond a domain name registration which has almost already been paid for other reasons.

Charging more than twice the current market price for domain names for something that isn’t really that valuable until the network of people that use it is pretty substantial is hardly a way to stimulate viral adoption and gain the benefits of network effect. This is especially true when OpenID URLs are out there are a direct substitute for single sign on identifiers and have a marginal cost of US$0 to the user.

Skeptic Turns Supporter

Despite my early skepticism, I continued to read up on I-Names to figure out why intelligent people would spend so much time trying to create something that at first glance by an identity layman seemed to be a scheme to charge unsuspecting consumers US$20 for something that could basically get for free by using an OpenID provider such as MyOpenID.

Drummond Reed (=drummond) has been one of the most visible supporters and whose posts on the OpenID mailing lists and his blog have been most helpful in shedding light on why I-Names are technically superior and desirable for consumers.

Supporter Buys-In

Convinced of the superiority and desirability of I-Names, I decided to buy my own individual I-Name. You can buy an I-Name for a number of accredited registrars. Having little info to go on, I bought mine from 2idi because it is one of the initial registrars. I falsely assumed that they would have the most well developed feature set and management interface.

I have been using my I-Name to log on to OpenID sites that support it. Hopefully, once the OpenID 2.0 spec is complete, support for I-Names will be more consistently implemented. Right now sites using older OpenID spec 1.0 libraries do not accept I-Names.

Because of the less than desirable feature set of my I-Name provider and the fact that they do not yet support the latest OpenID spec, the best security practices, or provide a means to manage relying parties, I have tried without success to delegate OpenID authority using XRDS to my MyOpenID URL. Has anyone else been able to accomplish this? Perhaps 2idi is listening and could let us know if and when we will be offered a feature set more comparable to other OpenID providers?

Much of the success or failure of I-Names will resolve on getting the world at large to accept and recognize them for what they are, a unified contact handle that has the potential to replace phone numbers, email addresses, mailing addresses and more with one simple identifier all while giving users more control over their information and who is allowed to contact them and by what means. US$20 per year is way too high for anyone but the most enthusiastic early adopters to pay if that goal of mass popularization is ever to be met, at least in the beginning.

One road to adoption that seems very promising is by employers providing delegated community I-Names to their employees or websites to their users. For example:

@example.company*Marketing*Fred.Smith < ----- This would be Fred Smith in Example Company's Marketing department.


@example.company*Smithy < ----- This could be the user with nickname Smithy at Example Company's Web 2.0 application.


Help Delegating

I am interested in providing users of my yet to be launched tech start up with community I-Names. However, I have yet to find an I-name registrar website that provides information on how this could work beyond simply mentioning it is possible.

Simply put, I imagine asking my users to provide their I-name or OpenID when registering. If they provide an OpenID, my site would issue them a new i-number and an associated community i-name under my company’s organization i-name. If they provide an i-name during registration, the existing i-name’s i-number would be used as their unique identifier and an a community i-name under my company’s organization i-name would be issued and associated with the existing i-number.

Ideally, this could all be accomplished with an i-name registrar provided API so that we do not have to run an XRI resolver. Is this possible? Does anyone know of a detailed explanation of how something like this should be implemented?

If this is a service that i-name providers are already offering, how is it priced?

Linksafe seems to indicate that the US$55 / year fee includes the ability to delegate community i-names. Does this mean that Linksafe would provide login, contact, and forwarding services for community i-names that are created under an organization’s i-name?

The I-Name Future

I look forward to the day where I can print my i-name on my business card and people will automatically know what it is and how to use it. Unfortunately, that day will not come until the ease with which people can get i-names is closer to that of the ease with which they get OpenID URLs by both significantly reducing the price of individual i-names and making it a lot easier for websites and companies to provide their users with community i-names with a cost structure that makes sense and minimal technology investment.

If anyone can shed more light on the questions I have raised, or point me to some answers, please leave a comment using your OpenID or I-Name.

Or contact me privately using my i-name.

最近OpenID是互联网上最热的新科技之一。到底它是什么东西？

OpenID是一种分散身份认证协议

在互联网上你的身份就是你用的登录网站的帐户号或用户名。目前最多数网站他们有自己的帐户管理系统，每个网站的用户名和密码很可能不一样。这情况从安全观点来看不太好，也对用户来说可不方便。用户有那么的帐户证明身份可定全部不能记住。有些人会所有的用户和密码写下来，更多会用简单又容易记住但容易猜到的密码。两个解法都有缺乏了。

互联网市场显然需要一个方法让消费者在每个网站用同一个帐户登录。以前不少公司意识到这市场需求，包括资讯科技行业最大的公司，微软有Windows Live ID (以前称为passport.net）谷歌有谷歌帐户和雅虎有Yahoo!ID。除了他们自己公司的网站其它网站都不用因为这种身份认证系统是中央又复杂的。

怎么用OpenID呢？

1. 首先创新一个OpenID。国内的有几个提供免费的OpenID比如openid.cn。美国的也有好几个提供免费的OpenID，最著名的之一是MyOpenID
2. 访问接受OpenID登录的网站比如ipv6links.net（本网站也支持OpenID发评论)
3. 在想用的网站输入你的OpenID，点击登录。（如下图）如果你这次上网在OpenID服务器已登录了，你会被自动的登录了想使用的网站



4. 如果你还没登录OpenID，必要在OpenID的服务器登录（如下图）

简不简单？

OpenID有中文名字吗？

这个我不太清楚。大众好像没想好该否给OpenID起个中文名，但大众的智慧已想了不少可能征名。我比较喜欢的那个是《网络通行证》，听起来正式又可靠的。你觉得呢？

OpenID网络通行证，提高你网上身份的地位！

今晚看了几分钟湖南卫视《中国之夜新春晚会》的节目，重播的。今年节目是播在美國拉斯維加斯阿举办的２００７海外春节双语演唱会。　我看的那个部分没什么好听的歌星.　

去了美国的kanye west陈龙和台湾的五月天其他的歌手和乐队都不太有名。这三个中Kanye West是最精彩的，但是他有点落伍了。

五月天我不太喜欢因为他们唱台湾语时我都听不懂。也不太清楚他们目前在流行文化的地位是什么，五月天还酷么？

陈龙唱得很难听的，他来的原因好像是因为美国华侨以为他是香港好听歌星之一，其实是他也不是。他们为什么没邀请陈慧琳Twins或张学友这类的高等歌手，让一名香港来的好莱坞演员代表香港歌星干吗？

Today’s libxcb1-1.0-1.1ubuntu2 update in Ubuntu Feisty works around the Java bug reported a couple weeks ago here and on launchpad on a more permanent basis until the bugs are fixed in Java.

Eran makes a great point regarding multiple OpenID support as a necessity to avoid vendor lock-in. Sites accepting OpenID should find it in their best interest to allow users to associate multiple OpenIDs with their accounts. After all, as a site owner, you want to make it as convenient as possible for a user to use your site.

This is why I added multiple OpenID support to IPv6Links.Net. You can add and remove OpenIDs from your profile by clicking on profile from your links page after logging in. Each account must have at minimum one OpenID associated with it.

Finally fixed the bug at http://ipv6links.net where entering an invalid OpenID such as the example iname =example.name or http://example in the login box would result in the login process hanging and eventually failing with the error
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 14592 bytes) in /home/www/ipv6links.net/login.php on line 76
I thought it was an issue with the PHP OpenID JanRain libraries but turned out to be the result of me creating an infinite loop.

The offending code:

// Render a default page if we got a submission without an openid
// value.
if (empty($_GET['openid_identifier'])) {
    $tplVars['msg'] = "Please enter a valid OpenID to log in.";

} else {

$scheme = 'http';
if (isset($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') {
    $scheme .= 's';
}

$_SESSION['login_keeppass'] = ($_GET['keeppass'] == "yes");

$openid = $_GET['openid_identifier'];

$process_url = "http://ipv6links.net/finish_auth.php";

$trust_root = "http://ipv6links.net/";

// Begin the OpenID authentication process.
$auth_request = $consumer->begin($openid);

// Handle failure status return values.
if (!$auth_request) {
    $tplVars['error'] = "OpenID authentication failed. Please enter a valid OpenID.";
    include 'login.php';
    exit(0);
}

$auth_request->addExtensionArg('sreg', 'optional', 'email');

// Redirect the user to the OpenID server for authentication.  Store
// the token for this authentication so we can verify the response.

$redirect_url = $auth_request->redirectURL($trust_root,
                                           $process_url);

header("Location: ".$redirect_url);
exit(0);
}

Adding an if statement to check for an error before executing the initial OpenID login logic again on the bad OpenID identifier is the solution.

The working code:

// Render a default page if we got a submission without an openid
// value.
if (empty($_GET['openid_identifier'])) {
    $tplVars['msg'] = "Please enter a valid OpenID to log in.";

} else if(!$tplVars['error']) { // Check for previous errors before executing OpenID login process

$scheme = 'http';
if (isset($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') {
    $scheme .= 's';
}

$_SESSION['login_keeppass'] = ($_GET['keeppass'] == "yes");

$openid = $_GET['openid_identifier'];

$process_url = "http://ipv6links.net/finish_auth.php";

$trust_root = "http://ipv6links.net/";

// Begin the OpenID authentication process.
$auth_request = $consumer->begin($openid);

// Handle failure status return values.
if (!$auth_request) {
    $tplVars['error'] = "OpenID authentication failed. Please enter a valid OpenID.";
    include 'login.php';
    exit(0);
}

$auth_request->addExtensionArg('sreg', 'optional', 'email');

// Redirect the user to the OpenID server for authentication.  Store
// the token for this authentication so we can verify the response.

$redirect_url = $auth_request->redirectURL($trust_root,
                                           $process_url);

header("Location: ".$redirect_url);
exit(0);
}

I logged into my email today to 50+ emails from eBay. My initial reaction was:

Great! Google’s email SPAM filter has finally broken down.

Unfortunately, it was not a simple case of spoofed eBay emails making it through the trusty SPAM filter. My eBay account had been hacked. Some one had gained access to my account and posted about 50 listings for “eBay Listing Confirmed: brand new CLH LRG DEAD SERIOUS HOODIE size XXXL” of different sizes. The final two emails from eBay were “TKO NOTICE: eBay Registration Suspension - Possible Unauthorized Account Use” and “TKO NOTICE: eBay Listing(s) Removed” indicating that eBay has disabled my account and removed the unauthorized listings. Good job eBay!

Why did this happen?

I’m not a frequent eBay user by any stretch of the imagination. In fact, I probably haven’t used my account in about two years.

Was my password strong and frequently changed?

No, of course not! If I used eBay on a daily basis, perhaps I would use a more difficult (and harder to remember) password and frequently generate new ones. However, like most users, even tech-savvy ones, I have other things to do with my time besides come up with, memorize and deploy new passwords. However, this problem of users having too many site credentials to remember and protect could be avoided if eBay and other sites adopted a decentralized authentication system such as OpenID in the future.

OpenID works by giving each user an URL or an iname that the user uses to identify herself to a website instead of creating a login and password for each site. After enter her OpenID (Step 1), the user is redirected to her OpenID provider to verify she is the owner of the OpenID provided (Step 2).

For those new to OpenID, I have taken screenshots of a hypothetical AOL user with screen name “YourSN” and OpenID “http://openid.aol.com/YourSN” trying to log on to ipv6links.net, my testbed for IPv6, OpenID, and other next-generation web technologies.

Step 1: Step 2:

Using OpenID, each person would only need to have one OpenID and could use the same OpenID to log on to any number of sites. The benefit of this is that abstracting the verification of a users identity away from the site to which she is logging in plus reducing the number of identities for which she must remember credentials allows advanced security techniques could be used to protect her identity.

Her OpenID would be better protected by simply selecting a stronger password and changing it frequently. It is much easier to frequently change passwords if one must only change it in one place instead of on every site on the Internet. Two factor authentication techniques such as SecurID or having the user answer a series of predefined questions could be used.

All of your eggs in one basket?

Some would argue that OpenID or other such web-based single sign on systems are akin to putting all of your eggs in one basket. There is some truth to this, in that if your OpenID is compromised, criminals can potentially access all of the sites where you use that identifier. However, the nice thing about having all of your eggs in one basket, is that it is much more feasible to fiercely guard one or two baskets to make it much harder for any Internet fox to get to your eggs than it is to guard the dozens of baskets that exist when users are forced to maintain a user name and password for each website.

Choose the most secure basket for your eggs

With the status quo users are forced to store information regarding their identity in whatever method a website offers. Identity storage and protection are usually not the core competencies of most websites including places like eBay. OpenID’s decentralization allows users in the free market to choose to put their proverbial eggs in the basket of an OpenID provider whose core competency and raison d’être is identity management and with a reputation for the most secure basket.