Forging The Future

Before You Lies A Riverscape That Features The Sun Relfecting Off The Hudson River Thrugh Cirrus Clouds As Seen In Ossining, New York.

News and Views from The Institute for End User Computing!

Archive for December 5th, 2008

Self-Hosting OpenID Not Ready for End Users

Friday, December 5th, 2008

OpenID is the name for a single login scheme that is supposed to free us of the need to juggle multiple user names and passwords. Instead, with OpenID, the theory goes, that we use a single login and sites we want to visit will redirect us to the OpenID provider of our choice for us to verify our identity with that service which will then return us to the site we were originally trying to log into with a security token that will complete the login process.

Since the system consolidates all of your accounts into one, it is critical that you trust your OpenID provider even more than you would a single site, since someone with database access to the OpenID server could usurp your identity everywhere by resetting your password to a new one and then logging into any of your accounts elsewhere.

The logical way to minimize that risk is to host your own identity provider server, which is supposed to be quite painless and easy to do.

Be warned, it is not.

For the last few weeks we have been trying various OpenID servers and have yet to find one that can pass all of the OpenID Enabled: OpenID Tests.

If you do want to experiment with this technology, we recommend indirectly specifying your OpenID End Point. This means that you should point any services requiring you to use OpenID to a web page that uses link tags in its headers to redirect them to your current OpenID provider of choice. Then you can, in theory, change OpenID providers without changing your OpenID Identity with respect to third party sites. However, different implementations may place restrictions on your account name choice which could foil your attempt to seamlessly swap servers.

If you can find a solution that reliably performs well in the real world, do let us know so we can share your good news. Until then, beware the hype and avoid diving in prematurely since this sort of experimentation can be a real time sink.

So in the meantime, if you must use OpenID, go with a large trusted “name” provider and if there isn’t one that you truly trust, consider establishing multiple OpenID’s for different accounts, even though doing this would of course defeat the point of the entire exercise.

Posted in Technology, The Institute Log | No Comments »

These notes from the field hold our latest thoughts and research pointers. Those of lasting value will be merged into our main website as time permits.

Recent Posts
Categories
December 2008

M T W T F S S

« Nov Jan »

1 2 3 4 5 6 7

8 9 10 11 12 13 14

15 16 17 18 19 20 21

22 23 24 25 26 27 28

29 30 31
Archives
Blogroll
Meta

December 2008
M	T	W	T	F	S	S
« Nov		Jan »
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

Legal Notices — Revised June 1st, 2010

We apologize for having to plaster this legal boilerplate across the bottom of every one of our pages, but you really should read it through at least once since it concerns your legal rights if you are considering donating to us or citing our work. It may be updated from time to time so look for blog entries tagged with "Legal Notice" for timely updates on when things change and be sure to consult our Current Legal Notices for a comprehensive listing of everything you should know.

A number of State and Federal regulations require various legal disclaimers and at present there is no settled law permitting us to rely on a link to dedicated page of legal notices to discharge this burden.

Our major legal filings can be found in The IEUC Archives.

Since we have to go this far, we are also including some useful related information that isn't explicitly required by law, just to keep everything law related in one place. In any case, this footer is the same on every page so you don't need to scroll down to it again.

Privacy & Security

We are currently developing formal privacy & document retention/destruction policies. Until they have been officially adopted and indicate otherwise, assume that any contacts online or offline with The IEUC are matters of public record that might be shared, disclosed, or used in any manner for any purpose. This notice is effective with this release of our website and supersedes any prior statements regarding privacy with respect to any contacts with the Institute from June 1st, 2010 onward, until such time as a newer version of this policy supersedes it with respect to subsequent contacts from that point onward.

We hold no Personally Identifying Information in digital form on any residents of Massachusetts.

Third Parties hosting our website and email infrastructure, contracting with such provider(s), or (in the case of Google) providing us with website analytics, may have digital and/or physical access to records related to your visit or email to us over which we have no control and which must accordingly be excluded from any privacy guarantees we may directly offer.

In any case, we will release any material that we are compelled to disclose by force of law and we reserve the right to comply with any information requests made by government or law enforcement authorities.

201 CMR 17.00: M.G.L. c. 93H Exempt

The Institute for End User Computing, Inc., is not subject to Massachusetts's Data Privacy Law 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH because it does not own or license personal information about any residents of the Commonwealth of Massachusetts as defined in the statute. Any such information coming into our possession will be destroyed as quickly as practicable, so if you are a resident of Massachusetts we ask that you do not disclose any Personal Information to us.

FEDERAL TRADE COMMISSION —16 CFR Part 255 Disclosures

The following disclaimer is required under the FTC's Guidelines Concerning the Use of Endorsements and Testimonials in Advertising via Section 5 of the FTC Act (15 U.S.C. 45):

§ 255.0 Purpose and definitions. Our site may contain "badges" and/or links to some of the software used in its development. We are not "endorsing" them for use by any other individual or organization.

§ 255.1 General considerations. All comments with respect to products/services mentioned on our pages represent the honest opinions, findings, beliefs, or experience of each page's respective author and are factually truthful to the best of his or her knowledge and have not be solicited with any financial renumeration.

255.2 Consumer endorsements. The vast majority of items mentioned here, particularly our many literature references, are items we have individually purchased for collection in our personal libraries making us actual consumers of the technical literature (the same applies to the software items mentioned although, most of them are free open source projects). Any polls or surveys on our site are totally unscientific unless presented as being otherwise. No claims have been validated by any objective measure.

§ 255.3 Expert Endorsements. The Institute is composed of many volunteers with extremely high levels of individual technological expertise, however, our volunteers are generally not typical End Users so their experiences with and reactions to any technologies mentioned here will not necessarily bear any resemblance to those of a typical consumer or purchaser. Thus no pointers to items characterized as being useful to them or of general utility should be taken as expert endorsements for your use of them.

§ 255.4 Endorsements by organizations. Likewise, as an organization we have not undertaken to formally pool the expertise of our officers, directors, staff, and volunteers to ground any pointers to external work in a scientific vetting process. Accordingly you are on notice that anything mentioned in these pages is not being endorsed for purchase by our organization and that it is instead being pointed out by the author of the page(s) on which it is mentioned for informational purposes only.

§ 255.5 Disclosure of material connections. All Officers and Directors of The IEUC are required to disclose any direct conflicts of interest with those of The IEUC, however we have not undertaken a complete forensic accounting audit of all of all of their investments, nor of those of all volunteers contributing to our website, making it impossible for use to determine whether they might indirectly benefit from positions taken by the organization or from any attendent publicity generated by mention of any product, program, publication, standard, project, group, or individual mentioned in on our website. You should accordingly assume that anything mentioned or linked to from our pages may have been received for free in the mail, at a trade show, or as part of a beta testing program and that the page author may be a friend or colleague of the item's author/developer or a spouse/significant other thereof. Eastgate System's Tinderbox by Mark Bernstein was one of the programs used in generating our site. Mark was one of our Found Directors and now serves on our Volunteer Advisory Board. Our webmaster is a Beta Tester for Tinderbox and purchases an annual update license with his own funds. We also make use a number of free Google services. Any conferences or events discussed herein may been trade shows, lab tours, or academic/industry "open house" events with free food, t-shirts, or other minor swag intended to garner corporate publicity or have been attended with directly or indirectly vendor-sponsored free "Expo Only" passes, complimentary passes, or discounted "academic" rates (which are often sponsored by an academic unit and its corporate patrons). Some books cited may have been review copies or trade show give aways by their authors, publishers, or unrelated vendors or free books given to us by friends or as discarded items & book sale leftovers by public libraries.

Final Thoughts. The above should be painfully obvious common sense, but 16 CFR Part 255 is so broadly written and vaguely defined that we couldn't risk anything short of our best legalese to protect ourselves. Always remember that it is incumbent on the reader to investigate any potential purchases or service usages on his or her own and to asume that items mentioned may have come into the possession of potential reviewers here free of charge or have been brought to our attention in attempt to garner testimonials (which in most cases they are fully worthy of on their substantive merits since we wouldn't waste the space and risk our credibility by telling you about them if they weren't any good).

Green Advertising Disclaimer

Our web hosting provider has been promoting its efforts to power its server farms with renewable energy. Since we have no ability to independently validate these claims, we explicitly disclaim any endorsement of its Green advertising campaign. This is not to suggest that we have any cause to doubt the validity of those efforts, merely to insure that we can not be held liable under Federal or State Law in the unlikely event that those claims might not stand up to objective scientific scrutiny.

Section 508 Exempt

Section 508 is a regulatory framework aimed at mandating how web site authors should address accessibility concerns in the production of web sites funded directly or indirectly by the US Government.

No direct or indirect federal, state, or local government funds were used in support of the development of this page, nor was its development undertaken as a project for any such entity.

Therefore, this page is not subject to Section 508 or any related rule making.

The Institute Online

Forging The Future 2/7/12 — 5:32 UTC

Archive for December 5th, 2008

Self-Hosting OpenID Not Ready for End Users

Our Weblog :

Recent Posts

Categories

Archives

Blogroll

Meta

Legal Notices — Revised June 1st, 2010

Privacy & Security

201 CMR 17.00: M.G.L. c. 93H Exempt

FEDERAL TRADE COMMISSION —16 CFR Part 255 Disclosures

Green Advertising Disclaimer

Section 508 Exempt

Advice for Disabled Visitors

Federal Tax Status

State Law Charitable Solicitation Registration Disclosure Statements

Exemptions :

Withdrawals :

Other States :

Nondiscrimination Policy

License Terms — Conditions Under Which You May Copy This Page

Trademarks

Web Standards Compliance