sceneid.net: OpenID fairy dust for the demoscene
category: general [glöplog]
gasman - just get on with it. You don't need the approval of those who, as suggested by their disapproval, are going to boycott it anyway.
But first, let me delete my home address, my National Insurance number, my bank details, my building society account number, my pet's name and all those photographs of my knob from my sceneID! Because, y'know, I'd hate to think it could become the weak point in modern-day electronic personal data storage through which my privacy was irreparably breached.
But first, let me delete my home address, my National Insurance number, my bank details, my building society account number, my pet's name and all those photographs of my knob from my sceneID! Because, y'know, I'd hate to think it could become the weak point in modern-day electronic personal data storage through which my privacy was irreparably breached.
kb: I guess there aren't much rational arguments against the OpenID system as a whole in theory. But we aren't talking about theory here. Practice is that gasman has created an OpenID provider that, if adopted by the scene, enables him to receive the account data of all sceners from all participating sites. I don't know gasman, so I don't trust him. Compared to him, I trust scene.org more. Yeah, in theory each of us could create his own OpenID provider, but that won't happen. Right now - like Leia said - the only real choice without investing time is not to use demozoo. As it appears demozoo is of no value to me anyway, so I couldn't care less. Things would change if other sites actually would pick up the system.
Things might be different if scene.org would be the OpenID provider instead of gasman...
And finally: Just as demozoo, that adopt-OpenID-inside-the-scene stuff to me appears as a solution to a problem that doesn't exist (or is already solved). And "waste of time" is a pretty rational argument.
Things might be different if scene.org would be the OpenID provider instead of gasman...
And finally: Just as demozoo, that adopt-OpenID-inside-the-scene stuff to me appears as a solution to a problem that doesn't exist (or is already solved). And "waste of time" is a pretty rational argument.
Quote:
the idea of openid (if i get it right) is going to spread worldwide, in a huge scale, and it's going to be a must for creative young minds to exploit to the fullest..
I can fucking create two hundred leijaa.*.org openids today with all the large providers, put there your personal details I gathered via google and link your slengpung pictures, and misuse these openids very creatively; all that without gasman's help. Such is life in the internet age, it has nothing to do with demozoo. Compared to this, the security problems / lack of trust existing here are almost nonexistent.
If you don't trust gasman at all, don't use demozoo (but that's stupid). If you only half-trust gasman, then use demozoo, but erase the url leijaa.sceneid.net (or whatever) from your mind, so it will be basically the same situation as with the two hundred fake indentities I created and misused without your knowledge.
syphus: You don't need to worry about losing your personal details anymore. HMRC made that a non-issue.
But ehm, I really don't get why implementing OpenID on any one site is such a big deal. Everyone seems to have his own interpretation of what the system is, but my understanding is that it's more or less just a standard for logins which CAN be used to let sites share user information, to the extent that the user in question wishes. Which means that the security/privacy issues are no worse than if you have a different login for every site (which you still can). There may in fact be fewer issues, since you can probably assume OpenID is more thought-through and reliable than the systems otherwise used by most sites.
But ehm, I really don't get why implementing OpenID on any one site is such a big deal. Everyone seems to have his own interpretation of what the system is, but my understanding is that it's more or less just a standard for logins which CAN be used to let sites share user information, to the extent that the user in question wishes. Which means that the security/privacy issues are no worse than if you have a different login for every site (which you still can). There may in fact be fewer issues, since you can probably assume OpenID is more thought-through and reliable than the systems otherwise used by most sites.
Quote:
Practice is that gasman has created an OpenID provider that, if adopted by the scene, enables him to receive the account data of all sceners from all participating sites.
Well, let's look at the alternatives I had:
1) Ignore SceneID entirely, and require everyone to sign up for a brand new account. Well, let's just say I had selfish reasons for wanting to avoid that route (and add that if you're questioning my motives there, you're also questioning the whole concept of SceneID.)
2) Make Demozoo a conventional SceneID partner website, with a username/password box on it, that, if adopted by the scene, enables me to... er, receive the account data of all sceners from all participating sites.
Quote:
Yeah, in theory each of us could create his own OpenID provider, but that won't happen.
Or you could sign up somewhere like myOpenID, and avoid the need to give me a password at all.
Quote:
Things might be different if scene.org would be the OpenID provider instead of gasman...
I'd be very happy to see that happen. They know what I'm doing, they know how to get hold of me, and I'd gladly offer any assistance I can to get it set up. They can even have the domain name if they like. I get the impression they're a bit busy though.
Quote:
that adopt-OpenID-inside-the-scene stuff to me appears as a solution to a problem that doesn't exist (or is already solved).
No, it does exist, and you identified it quite nicely above (as did Dbug earlier)...
Quote:
I don't know gasman, so I don't trust him.
The fact that SceneID requires you to trust a website owner with your password is a limitation of SceneID.
gasman, SceneID sites could very well work without having to give them any passwords at all. You'd have to ask users to log on scene.org first before visiting your site.
In the grand scheme of it, it does not even seem that impractical.
In the grand scheme of it, it does not even seem that impractical.
leia, reread my last post (a few posts above yours).
gasman:
Alternative 1.) would have worked nicely. If someone really cares about demozoo, he can sign up for it.
This may come as a surprise, but I actually trust some "JanRain Inc" even less than I trust you. I don't want you to be able to login using my personal data to a third-party site, and I don't want "JanRain Inc" to be able to login using my personal data to a third-party site. The easy solution to this trust-thing doesn't require any kind of rocket science trust-network: I use different auth data per website, and the worst thing the site owner can do is to abuse this data to login to his very own website. THAT's an easy, working and proven solution. Simple and effective. Not a single thread about it at pouet.net, everybody knows how it works, no questions asked.
(And yeah, pretty much the same applies to SceneID, but I never cared because I was under the impression that it is only used for sites that are under the control of scene.org RY.)
Alternative 1.) would have worked nicely. If someone really cares about demozoo, he can sign up for it.
Quote:
Or you could sign up somewhere like myOpenID, and avoid the need to give me a password at all.
This may come as a surprise, but I actually trust some "JanRain Inc" even less than I trust you. I don't want you to be able to login using my personal data to a third-party site, and I don't want "JanRain Inc" to be able to login using my personal data to a third-party site. The easy solution to this trust-thing doesn't require any kind of rocket science trust-network: I use different auth data per website, and the worst thing the site owner can do is to abuse this data to login to his very own website. THAT's an easy, working and proven solution. Simple and effective. Not a single thread about it at pouet.net, everybody knows how it works, no questions asked.
(And yeah, pretty much the same applies to SceneID, but I never cared because I was under the impression that it is only used for sites that are under the control of scene.org RY.)
and gasman's.
Quote:
(And yeah, pretty much the same applies to SceneID, but I never cared because I was under the impression that it is only used for sites that are under the control of scene.org RY.)
indeed - so don't shoot the messenger :)
If I understand correctly anyone can set up an OpenID provider, so do I understand it correctly that I could be my own private OpenID provider? That would basically solves the trust issue that Scamp mentions (only for those with the skills/facilities to set up such a thing of course).
knos: Yep, it could be done with an appropriate sequence of information exchanges (site redirects user to scene.org with a random key, scene.org associates random key with logged-in user and redirects them back, site asks scene.org who the random key is attached to), but when you've done that, you've basically reinvented the OpenID protocol...
sparcus: Yep. Of course, you still have to trust your hosting provider, your ISP, the company that supplied your operating system, Intel... :-)
sparcus: Yep. Of course, you still have to trust your hosting provider, your ISP, the company that supplied your operating system, Intel... :-)
sparcus: It only solves the problem in theory. In practice I guess next to everyone will pass his data to a single provider.
And even in theory the whole system stinks. Let's compare it to keys in the physical world: I have about 20 keys or so for different doors - just as I have different login data for different sites. OpenID in the real world would be that in future I only would have a single key, and I'd need to name a single person/authority that I would trust enough to give him that single key to all the doors. In real world I can not imagine any person I would trust enough to give him a single master key to everything I have access to.
It's no matter if it's gasman, "JanRain Inc", "Microsoft Passport" or whoever - i don't want a single organization to have a master key. I prefer individual keys.
And even in theory the whole system stinks. Let's compare it to keys in the physical world: I have about 20 keys or so for different doors - just as I have different login data for different sites. OpenID in the real world would be that in future I only would have a single key, and I'd need to name a single person/authority that I would trust enough to give him that single key to all the doors. In real world I can not imagine any person I would trust enough to give him a single master key to everything I have access to.
It's no matter if it's gasman, "JanRain Inc", "Microsoft Passport" or whoever - i don't want a single organization to have a master key. I prefer individual keys.
(and yes, I'm aware that one could work around this issue by having multiple OpenID logins from different OpenID providers - but hey, "a different key per site" is so much simpler and more flexible than that...)
scamp wins
I just don't get why "Login here - use your Scene.org, Pouet.net or Demoparty.net username/password" isn't good enough?
Quote:
In a nutshell, this development is a way to reduce Demozoo's dependence on scene.org's resources (hardware and manpower)
I wasn't aware there _was_ a problem with Scene.org resources.
blabla:
You could create all those things with data you can openly find about me.. And i couldn't care less.
What I would care about is when you for some reason got a correct password connected up with that and some young hotshot manged to (for whatever reason) get a list of openid login info and password including mine.
Yes, of course some idiot could do the same on slengpung, with sceneid etc. But the chances are way less than with an openid system "everyone" knows about
Yes, of course (and quite probable), some idiot could do the same with facebook, or wherever. But that would be my own fault then for being stupid enough to give my password to them. (And yes I'm aware this is exactly what openid is supposed to prevent).
I find the chances even bigger with openid, especially the part where "everyone can be a provider". Maybe you guys are right, maybe it's completely safe, but I don't trust that system. And I think there could be at least a possibility to choose if you want to trust that system or not.
Oh and what gloom said, and what scamp said..
You could create all those things with data you can openly find about me.. And i couldn't care less.
What I would care about is when you for some reason got a correct password connected up with that and some young hotshot manged to (for whatever reason) get a list of openid login info and password including mine.
Yes, of course some idiot could do the same on slengpung, with sceneid etc. But the chances are way less than with an openid system "everyone" knows about
Yes, of course (and quite probable), some idiot could do the same with facebook, or wherever. But that would be my own fault then for being stupid enough to give my password to them. (And yes I'm aware this is exactly what openid is supposed to prevent).
I find the chances even bigger with openid, especially the part where "everyone can be a provider". Maybe you guys are right, maybe it's completely safe, but I don't trust that system. And I think there could be at least a possibility to choose if you want to trust that system or not.
Oh and what gloom said, and what scamp said..
gasman: so, the bottom line is, is it really that hard to do a "connect this sceneid with openid" checkbox? like yes/no? and if no, then don't?
Yep, it is that hard. Demozoo is exclusively using OpenID logins now, so having a 'don't connect this sceneid with openid' option would either mean "actually don't log me in at all", or it would do something reassuring but technically bogus, like setting a flag in the database to say "automatically deny any login requests from anything other than demozoo.org". (Which would be a waste of time, because the only person who can initiate login requests is you - or someone else who's got hold of your password - and anyone who can do that can turn that flag off.)
I don't store passwords. A cracker could retrieve SceneID passwords from sceneid.net if they managed to intercept them at the point that people submit them, but that's the same as any other conventional SceneID-enabled site. And if it gets widely adopted, OpenID would mean that you enter your password less often, and on fewer sites, which means fewer points of failure.
Quote:
[if] some young hotshot manged to (for whatever reason) get a list of openid login info and password including mine
I don't store passwords. A cracker could retrieve SceneID passwords from sceneid.net if they managed to intercept them at the point that people submit them, but that's the same as any other conventional SceneID-enabled site. And if it gets widely adopted, OpenID would mean that you enter your password less often, and on fewer sites, which means fewer points of failure.
As a side-note: What happens when a provider dies? I remember having this problem with sceneid and mso. In the end i had to save the "last-remembered-password" in my DB anyways, of course MD5'd and yadda yadda but still, i had to keep the login local to let people login during, lets say easter. I am quite sure that this is done on most SceneID connected sites that aren't hosted on scene.org servers because of the same reason.
A really good reason to have the login bound to a site, and stored at a site is that: When the site works, your login will work. And you *know* that the data is stored on the server, so if you do not trust that specific server but find an account can be "fun to have" you will not set a password you use for something important.
A really good reason to have the login bound to a site, and stored at a site is that: When the site works, your login will work. And you *know* that the data is stored on the server, so if you do not trust that specific server but find an account can be "fun to have" you will not set a password you use for something important.
Quote:
I am quite sure that this is done on most SceneID connected sites that aren't hosted on scene.org servers because of the same reason.
Are there actually any besides yours and mine? (FWIW, Demozoo *didn't* have such a backup plan when scene.org went down for a weekend this August, which was one of my motivations for sceneid.net. I just went for a slightly more over-engineered solution :-) )
What happens when a provider dies: The short answer is, you switch to a different one. Now, normally that would mean you'd lose out on any history/reputation (think: glop count) from the old one, but there are a couple of ways around that:
1) If the site allows associating multiple OpenIDs with one user account (so both gasman.sceneid.net and gasman.myopenid.com would get me into the 'gasman' account). Demozoo doesn't, yet, but it's on my radar as a low-priority thing.
2) You make use of OpenID delegation. See the two lines I've stuck in the HTML header at matt.west.co.tt, which make it possible to use matt.west.co.tt as my OpenID, and instantly switch it to something other than sceneid.net if it breaks. (This does mean that Demozoo will see me as matt.west.co.tt, which isn't ideal if I've already built up a history/reputation as gasman.sceneid.net... so this would work better in combination with number 1 above.)
(Both of those methods require a bit of advance planning, and there's no real way around that: it's a bit difficult to prove that you have control over gasman.sceneid.net while that URL is dead.)
gasman: Ok, so you admit that it's overengineered. It's also hopefully now obvious that "one has to trust a provider enough to hand him over a single master key for all sites one visits" is a conceptional flaw. It should also be clear that the implementation you've taken, making yourself the preferred SceneID->OpenID provider, results in you getting the master keys to all sites from all sceners, doesn't sound acceptable to some. Due to the way how "sceneid.net" currently is designed, I also guess many people won't actually understand that by using it they'll hand over their master key to you, which is something they ought to know beforehand IMHO.
So - looking at this, how about taking the logical consequences? ;)
So - looking at this, how about taking the logical consequences? ;)
Quote:
Ok, so you admit that it's overengineered.
As a solution for a single site coping with scene.org downtime, yep. If and when other sites choose to use it, it may become less over-engineered.
Quote:
making yourself the preferred SceneID->OpenID provider
Fine, I'll switch it to the official scene.org SceneID->OpenID service right away. Oh, wait, there isn't one.
Quote:
results in you getting the master keys to all sites from all sceners, doesn't sound acceptable to some.
I'm all in favour of people making an informed decision on that. I hope that the majority will take the fact that I haven't hijacked anyone's pouet account in the last 12 months as a point in my favour, and choose to trust me. Those who don't, have the option of using an alternative OpenID provider. And those who don't trust *any* OpenID provider won't be able to log in to Demozoo. I won't lose any sleep over that, and I'm sure you won't either.
Quote:
Due to the way how "sceneid.net" currently is designed, I also guess many people won't actually understand that by using it they'll hand over their master key to you, which is something they ought to know beforehand IMHO.
This is supposed to be a clue:
Quote:
Created by Gasman / H-Prg. sceneid.net is not officially endorsed by scene.org (yet)
I do plan to put up a proper FAQ there at some point though.