OpenID: Web 2.1

Péter Gyöngyösi - software developer

It did not make it into the headlines anywhere but on hardcore tech portals, even though it's a huge step: Microsoft, IBM, Google and Yahoo teamed up to support the OpenID initiative.

So what is OpenID? It's basically just a simple single-sign-on system that lets you log in centrally to separate websites -- just like the accounts at Google or the Microsoft Passport. Of course it takes some serious technical tricks to make it scale to serve millions of sites, but that's not what makes it interesting: it's what it enables us to do.

The most entertaining way to learn more about the philosophy behind this concept is the great OSCON 2005 keynote of Dick Hardt. The main point of the whole Identity 2.0 idea comes straight from the Web 2.0 "revolution". As content on the web starts to come more and more from the contribution of users, so grows the need to know who is exactly the guy that wrote this or rated that. Sites have already solved the issue on their own: we have the feedback system on eBay, we have karma on Slashdot and we have Facebook. The core of the Identity 2.0 utopia is to connect these pieces of information about a user's history and reputation, and OpenID is the first building block of it.

To realize its importance from the security point of view, we have to notice one fundamental fact: allowing a user to modify our content does not mean that we fully trust that user. A malicious user can cause harm in a technically perfect system: the vandals at Wikipedia or the agents busy rating down the competition at Amazon have probably never heard of fancy things like XSS or SQL injection and yet they still manage to cause serious headaches to those operating these sites.

An account to a single web-based service is not worth much: if you're not a diehard member of the community (which means only a handful of users) it does not tell much about you and it's just a minor inconvenience to get banned. Connecting the identities, however, creates a totally different situation: you can expect more and you are able to force a more responsible behavior on users. You can trust respected members of other communities, you can prove that someone's a great guy to others and you can be cautious with someone that no one has ever heard of.

It's somewhat similar to the situation when a bank asks for the utility bills of the last few months when deciding about granting you a loan. They're not interested in your water consumption: they're interested in whether you're an accepted and respected member of the economy or not, and they are asking the other members of the market about that. If OpenID gains wide acceptance, we'll all have the choice to either remain conveniently anonymous, accepting the distrust that a stranger always has to face, or to show our online identity and prove that our opinion matters and that our actions pose no danger. And that will be the greatest change in the history of web services.

To work or to surf? To trust or to control?

Péter Gyöngyösi – software developer

A few days ago I read in the news that Washington DC employees were laid off for visiting an "egregious" number of porn sites from their office computers. The actions of the employees were revealed by an internal investigation with “scandalous” results. In the end, nine notorious surfers were impeached, as a deterrent to the thousands of other employees. As a conclusion to the investigation, the Mayor's office decided to buy content-filtering devices – better late than never.

www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9058938&source=rss_topic17

Actually, there is nothing new to this, similar disciplinary proceedings are started somewhere in the world probably every day. What makes the case noteworthy is the debate that unfolds again and again between employers and employees about the monitoring of the employees' actions during work. During our lunchbreak we had heated discussions about what rights we have as employees, and what are we able to control and monitor as security experts.

E-mail secrecy and privacy runs deep in the European law and culture, but it comes without argument that companies have the right to control the traffic on their network. These two rights often collide, and laws and regulations still have to catch up to the challenges of technology.

Therefore, the task of the companies is to make their point clear in this field: to inform their employees in writing about what they are permitted to do on the company's IT infrastructure, and what measures the company is making to control this use. The cited article does not mention whether the office in Washington had any written policies about the Internet use, but if you are caught spending most of your time not working, that is cassus belli anyway.

The politically most correct procedure would be that the companies operate a system where those entitled can access the mail and web traffic of the employee's only with a valid reason, and after informing the employee about the act. Of course, every such case should be thoroughly documented. Naturally, the “valid reasons” should be clearly defined as well, and the continuous monitoring should be performed by automatic content-filtering engines that collect only statistical data.

For example, if the content-filtering engine shows that someone visits 178 pornographic websites a day, then this employee can be impeached if visiting such websites is against the company's policies. However, exactly which pages the employee has visited could be reviewed only if the employee refuses the claims and does not accept the statistics.

As a developer of IT security solutions, our company is often critiqued because our products can be used to create total monitoring. My answer to this is always the same: unregulated chaos does no good to anyone. It is better to permit something than ignore it – even if many people fail to see the difference.