FAQ
|
Languages: English | 한국어 | |
This page documents frequently asked questions about OpenID. For frequently asked questions from the press, see the Press FAQ.
You're encouraged to ask questions here and on the mailing lists.
General OpenID Questions
What is OpenID?
OpenID is a system for logging in to multiple websites with a single identity, allowing you to prove you are the same person across multiple sites.
How is this different than using a centralized Single Sign-On service? (such as Microsoft Passport)
With a centralized single sign-on system, one service and often ultimately one company is in control of the system. If you wish to take part, you must trust that single service and the associated company not to abuse the power granted to them. OpenID is decentralized, which means that anyone can act as a provider without needing to register or gain permission from any one central organisation.
The benefit of this is that you are free to select a provider that you trust and that suits your needs. Public OpenID providers compete in a free market to provide the best value for their users with no central controlling authority. If none of the public OpenID providers are suitable, you can (with some technical knowledge) act as your own provider.
Additionally, OpenID offers a feature called delegation which allows you to use your own website as your OpenID identifier while using a third-party OpenID provider. The benefit of this is that you are free to switch between OpenID providers whenever you like, so if you discover a new provider which provides better features you can switch without losing your existing identifier. Setting this up requires only the ability to add a small snippet of HTML code on the page you wish to use as your identifier.
Couldn't hackers just take over one database and steal everyone's information for everything?
Unlike many past "single sign-on" systems, OpenID does not use a central database of all information about all users. However, it is true that each distinct provider will maintain some kind of database of information about its users. It is therefore important to choose a reputable OpenID Provider to host your identity. If you are unsatisfied with the public providers, it is possible to act as your own provider using software described elsewhere on this wiki.
Who owns OpenID?
No-one owns OpenID. OpenID is an open standard and protocol with readily-available specifications, so anyone is able to implement it without any need to register or gain permission from a central entity.
OpenID was invented by Brad Fitzpatrick and Six Apart, but has been taken forward by many other contributors including several companies, some of which provide OpenID Provider services. However, you are free to choose any provider you wish or to run your own.
Work is underway at this time to form an OpenID community organisation or foundation. This foundation will act as a necessary owner and protector of intellectual property relating to OpenID, including its trademarks. However, the protocol will remain free and open. Since the exact nature of the OpenID organisation is still being discussed, this section will be updated at a later date to give more complete information.
Sep 26, 2007: A new IPR proposal is open for immediate feedback. See the request for feedback .
Questions from Potential Users
Why should I get an OpenID?
Once you have an OpenID identifier, which comes in the form of a web address or URL, you can sign in to any site which accepts OpenID logins without creating a separate account at each individual site. Lots of sites are already accepting OpenID logins, and this number growing every day.
Once you have established an OpenID identifier you can sign on to two or more sites with the same identifier, allowing you to prove to others that you are the same user. You will also no longer need to create a separate password at each OpenID-supporting site, since your single OpenID provider checks your login on their behalf.
How can I get an OpenID Identifier?
An increasing number of existing sites are adding OpenID identity services alongside their existing facilities, so you may have an OpenID identifier already without realising it. All users of LiveJournal, TypeKey, WikiTravel, GreatestJournal and Vox -- among others -- already have OpenID identifiers.
There are also several organisations which provide dedicated OpenID services rather than bundling them with existing services. These public OpenID providers operate independently of any central controlling authority, so you can select a service which suits your needs; your identifier will still work across the spectrum of sites accepting OpenID sign-in.
Does using an OpenID login help protect me from Phishing attacks?
To a certain extent. Since you only ever give your username/password to one site, your OpenID provider, it becomes harder to trick users into giving up their commonly used password at a slightly unfamiliar site. In addition, there are browser extensions such as Ph-Off that will clearly identify when you are at your OpenID Provider's login page.
Do I need to have a blog to use OpenID?
No. Although several OpenID providers also provide blog services, there are many OpenID Providers which provide only OpenID services. This wiki contains a list of the major OpenID providers. In the future, is is hoped that some of the popular social networking sites will begin to offer OpenID services too.
How can I use my own domain as an OpenID?
Any URL can be an OpenID. You just need to add a few lines to the <head> section of the document to define what the server for that ID is. See the Delegation page for details.
If someone gains control over my domain, would they be able to access my account?
Yes. Since anyone with control over your domain can cause it to resolve to any server they wish, they effectively have control over your OpenID identifier just as they have access to your incoming email at that domain and the ability to put any content they like on the website hosted there.
It is important to ensure the security of the domain you use for your OpenID identifier URL. This involves choosing reputable registrar and domain name services and ensuring that you can trust anyone who could potentially put content at your identity URL. You must also ensure that your domain does not expire, or if you are intentionally letting it expire you must make sure to remove any sensitive information that the new owner may be able to access or close accounts associated with your identifier.
Those relying on third-party services to host their identifier URL and related services need not worry about much of the above, but must ensure that they select a reputable OpenID provider.
What if I have an account at one site that I don't want associated with me?
You can create as many independent OpenID identifiers as you wish. If you wish to use a site without that usage being tracable back to your normal identifier, you can simply create a second identifier and use that; there is no direct technical means offered by OpenID to detect that these two identifiers are related, though of course the methods that were previously available such as IP address logging still apply.
Some OpenID Providers offer the ability to automatically generate one-time identifiers for a given site, but you should be aware that when using such a service the OpenID Provider will have an internal record of the relationship between the two identifiers, and thus you must ensure that you trust the provider with this information. If in doubt, you can set up your second identifer at a different provider.
Can I use my Email address?
OpenID uses URLs (web addresses) as identifiers, not email addresses. This is often an advantage because by giving your email address you are opening yourself up to the possibility of unwanted email. It is possible for OpenID services to provide identifiers that resemble email addresses, but this is not recommended unless the actual email address that matches the identifier represents the same user, to avoid confusion. In most cases, you will get your email services from a different organisation than your OpenID services, so this is not possible.
In most cases, your identifier URL as issued by your provider will look something like http://username.provider.com/, which you can write as username.provider.com when signing in. If you are using delegation to use your own domain as your identifier, you may be able to arrange for your identifier to be http://username@example.com/ (which you can write as username@example.com), but it is often easier to use just http://username.example.com/ or even http://example.com/ instead.
Questions from Sites Potentially Accepting OpenID Logins
If anyone can create an OpenID identifier, how can I trust OpenID users?
An OpenID identifier is just that: an identifier. It's just like the usernames you may already use on your site, but rather than being specific to your site they are usable across the web. An OpenID identifier can be just as trusted as a local username if you treat it right.
When users sign up for an account on your site, do you ask them to validate an email address and pass a CAPTCHA test? You can do that with OpenID Identities too, if you like! The best way is to have your site collect this information from the user the first time you see a login from a particular identifier. If this is troublesome for some reason, you can also adapt your "sign up" page to allow a user to enter an OpenID identifier instead of a username/password. You don't need to change the remaining sign-up steps at all, so you can make the user jump through as many hoops as you like!
Does accepting OpenID logins protect me from spam?
OpenID Authentication merely allows you to validate that a user is allowed to use a given URL to log in. It doesn't tell you anything about that user. This means that OpenID Authentication alone does not do anything to improve the spam situation, but since OpenID provides identity it is possible to build reputation and "human-checking" services on OpenID's foundation.
For example, you could use a CAPTCHA test in conjunction with an OpenID login to test if the remote user is a human. Once you have performed this test, you can store the fact that the CAPTCHA test succeeded to avoid testing that same user again in the future. OpenID also provides you with an authenticated handle to use for banning undesirable users or whitelisting trusted users. It is hoped that as OpenID support improves in blogging and forum software such facilities will become more readily available.
How can I integrate OpenID with my project?
There are Libraries that implement the protocol available in many languages.
Relationship with Other Technologies
How does OpenID relate to CardSpace?
Fill in.
How does OpenID relate to SXIP and DIX?
Fill in.
Wiki specific questions
How do I create a username?
This wiki uses OpenID to manage user accounts and logins. You can get an OpenID from MyOpenID or ClaimID, as well as from other Identity Providers.
How to become member of OpenID Europe for Spain?
I noticed that you have a foundation in Europe. I have a important project for OpenID in Spain and I notice that you do not have yet of member in Spain. I am very interested by becoming member. What is necessary to make? Thank you for your answer. --bartagas 10:53, 24 March 2007 (PDT)
