StartSSL™ OpenID Provider


A new year and already a new service: StartSSL™ is going to be an OpenID provider for digital identities! This is great news for various reasons…
Last summer (2007) I asked at this web log if there is going to be a more secure future for OpenID. In that post I explained where the dangers are and why StartCom doesn’t support it. There were others which took it much further and here is for example a practical beginner’s guide to OpenID phishing. Outshhh! At least I mentioned two additional policy extensions which gave me some hope for a better future of the OpenID framework and standard.

But I wasn’t alone. Stefan Brands wrote extensively in this article, about the major problems of OpenID. Starting with security and privacy, he also raises the issue of trust, claiming that OpenID is yet another identity-transport-system lacking trust. Quite right. And this might be problematic for the relying parties, i.e. the web sites trusting OpenID identifiers.

So what has changed? First of all, the second version of the OpenID Authentication 2.0 standard was approved. Many aspects have improved since the 1.1 version, even so in my opinion some declarations aren’t going far enough, for example requirement of SSL/TLS. Neither is a federation or other supervising body in the making. But the OpenID foundation solved some legal stuff such as patents and trademark issues which in these days isn’t less important.

Software libraries have improved and updated to the latest 2.0 standard. Extensions such as the OpenID Provider Authentication Policy Extension have been implemented as well. I mentioned better library support to be of importance and it seems that indeed things have been improved.

But that’s not all of the story. An important aspect of StartSSL™ being an Identity Provider is StartSSL™ itself. Because subscriber accounts are secured by client-side SSL certificates for authentication in addition to forced SSL/TLS encryption for any data exchange, StartSSL™ provides the highest industry standard based on public-key encryption. Subscribers which validate their identities according to the Class 2 validations can even be trusted to some reasonable extend. I believe that under these conditions OpenID is going to be useful for all sides involved.

Now, every subscriber at StartSSL™ receives automatically a default OpenID identifier and an easy way to change the default nick name. It’s very easy to use and I must admit that since I started using my own identifier, registering and logging in at forums and blogs hasn’t been so easy and fun for a long time. Check it out for yourself, get an account and client certificate free of charge. To sign up just click on the “Control Panel“.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
PKI, SSO and Smart Cards explained
Goodbye Netscape…

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

Woo!

Awesome!

now tell me why this blog is using https ? why http is being redirected to https ? you are just ridiculous.

I tell you why…the reason is fairly simply. It’s because wordpress doesn’t handle switching between secured and plain mode very well. Since I wanted to have certain areas protected (as it should be) I had to redirect everything to https in order to rely on it securely.

Since this is my personal blog (and I happen to work for a certification authority) I thought this to be just fine. Would I have written my own blog engine, I would have handled that differently obviously.

All sites of StartCom do that very well and require SSL only where it’s really needed. The exception is the forum which again isn’t software we have written…

Congratulations.

Good job ;-)

[…] de firma digital GPG en cualquier servidor de llaves públicas o acá (descarga directa) y mi OpenID de StartSSL acá. O más fácil, todo junto en mi Keybase ID: https://keybase.io/hackan. Recomiendo […]

[…] de firma digital GPG en cualquier servidor de llaves públicas o acá (descarga directa) y mi OpenID de StartSSL acá. O más fácil, todo junto en mi Keybase ID: https://keybase.io/hackan. Recomiendo […]