最近OpenID是互联网上最热的新科技之一。到底它是什么东西？

OpenID是一种分散身份认证协议

在互联网上你的身份就是你用的登录网站的帐户号或用户名。目前最多数网站他们有自己的帐户管理系统，每个网站的用户名和密码很可能不一样。这情况从安全观点来看不太好，也对用户来说可不方便。用户有那么的帐户证明身份可定全部不能记住。有些人会所有的用户和密码写下来，更多会用简单又容易记住但容易猜到的密码。两个解法都有缺乏了。

互联网市场显然需要一个方法让消费者在每个网站用同一个帐户登录。以前不少公司意识到这市场需求，包括资讯科技行业最大的公司，微软有Windows Live ID (以前称为passport.net）谷歌有谷歌帐户和雅虎有Yahoo!ID。除了他们自己公司的网站其它网站都不用因为这种身份认证系统是中央又复杂的。

怎么用OpenID呢？

1. 首先创新一个OpenID。国内的有几个提供免费的OpenID比如openid.cn。美国的也有好几个提供免费的OpenID，最著名的之一是MyOpenID
2. 访问接受OpenID登录的网站比如ipv6links.net（本网站也支持OpenID发评论)
3. 在想用的网站输入你的OpenID，点击登录。（如下图）如果你这次上网在OpenID服务器已登录了，你会被自动的登录了想使用的网站



4. 如果你还没登录OpenID，必要在OpenID的服务器登录（如下图）

简不简单？

OpenID有中文名字吗？

这个我不太清楚。大众好像没想好该否给OpenID起个中文名，但大众的智慧已想了不少可能征名。我比较喜欢的那个是《网络通行证》，听起来正式又可靠的。你觉得呢？

OpenID网络通行证，提高你网上身份的地位！

今晚看了几分钟湖南卫视《中国之夜新春晚会》的节目，重播的。今年节目是播在美國拉斯維加斯阿举办的２００７海外春节双语演唱会。　我看的那个部分没什么好听的歌星.　

去了美国的kanye west陈龙和台湾的五月天其他的歌手和乐队都不太有名。这三个中Kanye West是最精彩的，但是他有点落伍了。

五月天我不太喜欢因为他们唱台湾语时我都听不懂。也不太清楚他们目前在流行文化的地位是什么，五月天还酷么？

陈龙唱得很难听的，他来的原因好像是因为美国华侨以为他是香港好听歌星之一，其实是他也不是。他们为什么没邀请陈慧琳Twins或张学友这类的高等歌手，让一名香港来的好莱坞演员代表香港歌星干吗？

Today’s libxcb1-1.0-1.1ubuntu2 update in Ubuntu Feisty works around the Java bug reported a couple weeks ago here and on launchpad on a more permanent basis until the bugs are fixed in Java.

Eran makes a great point regarding multiple OpenID support as a necessity to avoid vendor lock-in. Sites accepting OpenID should find it in their best interest to allow users to associate multiple OpenIDs with their accounts. After all, as a site owner, you want to make it as convenient as possible for a user to use your site.

This is why I added multiple OpenID support to IPv6Links.Net. You can add and remove OpenIDs from your profile by clicking on profile from your links page after logging in. Each account must have at minimum one OpenID associated with it.

Finally fixed the bug at http://ipv6links.net where entering an invalid OpenID such as the example iname =example.name or http://example in the login box would result in the login process hanging and eventually failing with the error
Fatal error: Allowed memory size of 8388608 bytes exhausted (tried to allocate 14592 bytes) in /home/www/ipv6links.net/login.php on line 76
I thought it was an issue with the PHP OpenID JanRain libraries but turned out to be the result of me creating an infinite loop.

The offending code:

// Render a default page if we got a submission without an openid
// value.
if (empty($_GET['openid_identifier'])) {
    $tplVars['msg'] = "Please enter a valid OpenID to log in.";

} else {

$scheme = 'http';
if (isset($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') {
    $scheme .= 's';
}

$_SESSION['login_keeppass'] = ($_GET['keeppass'] == "yes");

$openid = $_GET['openid_identifier'];

$process_url = "http://ipv6links.net/finish_auth.php";

$trust_root = "http://ipv6links.net/";

// Begin the OpenID authentication process.
$auth_request = $consumer->begin($openid);

// Handle failure status return values.
if (!$auth_request) {
    $tplVars['error'] = "OpenID authentication failed. Please enter a valid OpenID.";
    include 'login.php';
    exit(0);
}

$auth_request->addExtensionArg('sreg', 'optional', 'email');

// Redirect the user to the OpenID server for authentication.  Store
// the token for this authentication so we can verify the response.

$redirect_url = $auth_request->redirectURL($trust_root,
                                           $process_url);

header("Location: ".$redirect_url);
exit(0);
}

Adding an if statement to check for an error before executing the initial OpenID login logic again on the bad OpenID identifier is the solution.

The working code:

// Render a default page if we got a submission without an openid
// value.
if (empty($_GET['openid_identifier'])) {
    $tplVars['msg'] = "Please enter a valid OpenID to log in.";

} else if(!$tplVars['error']) { // Check for previous errors before executing OpenID login process

$scheme = 'http';
if (isset($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') {
    $scheme .= 's';
}

$_SESSION['login_keeppass'] = ($_GET['keeppass'] == "yes");

$openid = $_GET['openid_identifier'];

$process_url = "http://ipv6links.net/finish_auth.php";

$trust_root = "http://ipv6links.net/";

// Begin the OpenID authentication process.
$auth_request = $consumer->begin($openid);

// Handle failure status return values.
if (!$auth_request) {
    $tplVars['error'] = "OpenID authentication failed. Please enter a valid OpenID.";
    include 'login.php';
    exit(0);
}

$auth_request->addExtensionArg('sreg', 'optional', 'email');

// Redirect the user to the OpenID server for authentication.  Store
// the token for this authentication so we can verify the response.

$redirect_url = $auth_request->redirectURL($trust_root,
                                           $process_url);

header("Location: ".$redirect_url);
exit(0);
}

I logged into my email today to 50+ emails from eBay. My initial reaction was:

Great! Google’s email SPAM filter has finally broken down.

Unfortunately, it was not a simple case of spoofed eBay emails making it through the trusty SPAM filter. My eBay account had been hacked. Some one had gained access to my account and posted about 50 listings for “eBay Listing Confirmed: brand new CLH LRG DEAD SERIOUS HOODIE size XXXL” of different sizes. The final two emails from eBay were “TKO NOTICE: eBay Registration Suspension - Possible Unauthorized Account Use” and “TKO NOTICE: eBay Listing(s) Removed” indicating that eBay has disabled my account and removed the unauthorized listings. Good job eBay!

Why did this happen?

I’m not a frequent eBay user by any stretch of the imagination. In fact, I probably haven’t used my account in about two years.

Was my password strong and frequently changed?

No, of course not! If I used eBay on a daily basis, perhaps I would use a more difficult (and harder to remember) password and frequently generate new ones. However, like most users, even tech-savvy ones, I have other things to do with my time besides come up with, memorize and deploy new passwords. However, this problem of users having too many site credentials to remember and protect could be avoided if eBay and other sites adopted a decentralized authentication system such as OpenID in the future.

OpenID works by giving each user an URL or an iname that the user uses to identify herself to a website instead of creating a login and password for each site. After enter her OpenID (Step 1), the user is redirected to her OpenID provider to verify she is the owner of the OpenID provided (Step 2).

For those new to OpenID, I have taken screenshots of a hypothetical AOL user with screen name “YourSN” and OpenID “http://openid.aol.com/YourSN” trying to log on to ipv6links.net, my testbed for IPv6, OpenID, and other next-generation web technologies.

Step 1: Step 2:

Using OpenID, each person would only need to have one OpenID and could use the same OpenID to log on to any number of sites. The benefit of this is that abstracting the verification of a users identity away from the site to which she is logging in plus reducing the number of identities for which she must remember credentials allows advanced security techniques could be used to protect her identity.

Her OpenID would be better protected by simply selecting a stronger password and changing it frequently. It is much easier to frequently change passwords if one must only change it in one place instead of on every site on the Internet. Two factor authentication techniques such as SecurID or having the user answer a series of predefined questions could be used.

All of your eggs in one basket?

Some would argue that OpenID or other such web-based single sign on systems are akin to putting all of your eggs in one basket. There is some truth to this, in that if your OpenID is compromised, criminals can potentially access all of the sites where you use that identifier. However, the nice thing about having all of your eggs in one basket, is that it is much more feasible to fiercely guard one or two baskets to make it much harder for any Internet fox to get to your eggs than it is to guard the dozens of baskets that exist when users are forced to maintain a user name and password for each website.

Choose the most secure basket for your eggs

With the status quo users are forced to store information regarding their identity in whatever method a website offers. Identity storage and protection are usually not the core competencies of most websites including places like eBay. OpenID’s decentralization allows users in the free market to choose to put their proverbial eggs in the basket of an OpenID provider whose core competency and raison d’être is identity management and with a reputation for the most secure basket.

I posted earlier today about the bug in Ubuntu Feisty that causes Java apps that use GUI to fail. It turns out it is an upstream bug in Java 6 itself that is brought out by new xcb code in X11. As of now, it is unclear if Ubuntu will choose to downgrade X11 packages or wait until Sun or someone else fixes the bug in the Java.

Not wanting to uninstall Feisty and revert to Edgy or play around with manually downgrading libraries, the quickest work around to continue coding in Netbeans on my dual-head Feisty box has been to simply running Netbeans on another computer and display it to Feisty’s screen.

On box with newer X11 libraries that break Java (in this case running Feisty) we allow computer with hostname edgy to connect to the display.
user@feisty$xhost +edgy

On box with functioning Java 6, not broken by newer X11 libraries, we tell the computer where to send the GUI output of X11 programs.
user@edgy$export DISPLAY=edgy:0
user@edgy$netbeans

Please note that these directions assume dns is properly set up so that feisty and edgy can be resolved to their proper IP addresses. If you do not have DNS or the hosts file set up properly, please substitute the IP address for the hostnames.

Upgraded packages in Ubuntu Feisty in the past 24 hours have broken Java 6 (package sun-java6). Netbeans and other Java GUI applications no longer work. The error is as follows:

$ /opt/netbeans-5.5/bin/netbeans
java: xcb_xlib.c:50: xcb_xlib_unlock: Assertion `c->xlib.lock' failed.
Aborted (core dumped)


Bug #86103 has been filed at launchpad.net

It seems to be an issue with recently pushed out Feisty package updates for libX11 or mesa have the use xcb flag turned on. Downgrading the offending packages seems to be the best workaround at the moment.

Dreamhost users can vote on two suggestions to support IPv6 with Dreamhost plans.  One is to simply add AAAA record support to their DNS management interface.  The other is to add IPv6 connectivity either as part of existing plans or as a separate plan. (Not clear) If you have a plan with Dreamhost, make sure your vote is counted by visiting the link below!
https://panel.dreamhost.com/index.cgi?tree=home.sugg

Jolin (蔡依琳) is coming back to the east coast USA. Tickets are available at the gotobus website. Prices range from $48 to $168. That’s US DOLLARS! Not CNY, HKD or TWD! A bit expensive for my tastes. There are two performances, 12 hours apart (2am & 2pm) on Thanksgiving Day. Turkey or Jolin? A tough decision!