OpenID and OAuth for lds.org and other church sites

Discussions around miscellaneous technologies and projects for the general membership.
AArnott
New Member
Posts: 13
Joined: Sun Feb 04, 2007 4:25 pm

OpenID and OAuth for lds.org and other church sites

Postby AArnott » Sat Oct 11, 2008 12:22 am

I would really like to see the Church adopt OpenID for its login system. Here are the scenarios from the user's point of view. If the Powers That Be find these scenarios compelling, I'd be happy to include the technical details of how these could be securely implemented by the various Church web sites. I work with these technologies every day and would love to spare some time to help the Church utilize these technologies to make it easier for members to log in and for web sites to be maintained.

Scenario 1: Sally, a Church member visits lds.org hosted ward web site for the first time

  1. Sally clicks Ward / Stake Web Sites at the lds.org home page.
  2. She sees a screen with a login box on one half and a "First Time Visitors" section on the other, where they can enter their confirmation date and membership record number. She looks up their membership information and fills it out and clicks "New User"
  3. Sally is now prompted for her OpenID Identifier. Some text explains what this is and how she can obtain one if she does not have one yet. She has one, and simply types her OpenID: sally.myopenid.com.
  4. Myopenid.com appears to tell her that lds.org is logging her in. She clicks OK.
  5. She now sees her ward web site.
Scenario 2: Sally returns to the ward web site

  1. Sally clicks Ward / Stake Web Sites at the lds.org home page.
  2. This time at the login screen, Sally just types in sally.myopenid.com and clicks Login.
  3. Sally might see myopenid.com come up asking her to log in so she can access lds.org, but more likely she is already logged into myopenid.com and this step will be skipped.
  4. Sally sees her ward web site.
I want to point out that because Sally uses her OpenID at many different web sites, she is much less likely to forget her password (and in fact may have an openid with a stronger credential than a password). She is much less likely to have to make a regular trip to the clerk's office each time she needs to make her occasional visit to the ward web site in order to recover her forgotten password.

Scenario 3: Sally visits a Church-related web site other than lds.org

  1. Sally is visiting ilikemormons.org, a fictitious site that anyone can log into with OpenID but premium services are offered to members of the Church.
  2. Sally tries to visit a Church Members Only area and is prompted to log in with her OpenID. She logs in with sally.myopenid.com, which requires no additional password and is quick and easy for her.
  3. This is Sally's first time logging into ilikemormons.org and after logging in, the site asks her if it may ask lds.org if she is a member of the Church. She clicks Yes.
  4. lds.org appears in her browser and automatically recognizes who she is because she has visited before with her OpenID, and says "ilikemormons.org is asking if you're a member of the Church. May we tell them you are?" She clicks yes.
  5. She now sees ilikemormons.org again and sees that she has made it into the Church Members Only area.
Scenario 4: Sally visits ilikemormons.org again

  1. Sally visits ilikemormons.org again and tries to visit the Church Members Only area.
  2. Sally MAY be asked to log in again if the site so chooses. She types in her OpenID and clicks Login.
  3. She is allowed entrance into the Church Members Only area.
These are compelling scenarios for multiple reasons, I think:

  1. The user has only one account that can be shared across all these sites, and yet no site has to know her password except her identity provider (in these cases myopenid.com).
  2. The user may choose to use a stronger credential than a password (like Infocard or an SSL certificate) that myopenid.com makes very easy. This is much more secure than a password as it cannot be phished, forgotten or stolen. All sites involved will still allow login perfectly with no additional effort.
  3. Web sites the Church authorizes (which can be a carefully controlled whitelist group or a list anyone can apply for in an automated way) may determine a person's membership in the Church.
  4. The Church does not add yet one more account that users have to either memorize new usernames and passwords for, or much worse and probably much more common, reuse a username/password picked and used on dozens of other sites already. Any other site that user visits could harvest those passwords and use them to spoof Sally's identity at lds.org. With OpenID, this kind of attack is much less likely because only one site has any password at all, and perhaps not even that one.
I would be happy to offer as much help as necessary to help this vision become a reality. How does this sound to those who work at lds.org?

russellhltn
Community Administrator
Posts: 20762
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat Oct 11, 2008 3:54 am

The church has already started toward a single sign-on for it's various websites: LDS Account

Speaking for myself, I sense that the church isn't interested in confirming membership to any outside websites. In fact, that may be considered personal information.

Once we remove the ability of outside websites to use a LDS Login, I fail to see the advantage to the church of using OpenID. If OpenID gains such a large following that there would be an advantage to embracing it, then I could see the church doing that. But not until then. By and large, the church is a follower of technology, not a leader of it.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Postby mkmurray » Sat Oct 11, 2008 6:34 am

RussellHltn wrote:Speaking for myself, I sense that the church isn't interested in confirming membership to any outside websites. In fact, that may be considered personal information.

Public record information exists on just about anyone out there (name, address, phone). There's no harm in that. However, to take that info and then add the "Yes, he/she is a member" info to it, now you have some dangerous privacy concerns. Anyone could hit this service over and over and try to compile a list of members of the Church. We definitely don't want enemies to the Church to have such a list. It's the Church's responsibility to protect the affiliation of its members as a whole (obviously as an individual, I disclose my Church membership to neighbors and those I trust in an effort to spread the Gospel).
RussellHltn wrote:Once we remove the ability of outside websites to use a LDS Login, I fail to see the advantage to the church of using OpenID. If OpenID gains such a large following that there would be an advantage to embracing it, then I could see the church doing that. But not until then. By and large, the church is a follower of technology, not a leader of it.

I have looked into OpenID myself. While impressive, I'm not really sold on it either. Until it has been proven more, I doubt the Church would consider making a move in this direction.

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Postby mkmurray » Sat Oct 11, 2008 6:36 am

aarnott wrote:I want to point out that because Sally uses her OpenID at many different web sites, she is much less likely to forget her password (and in fact may have an openid with a stronger credential than a password). She is much less likely to have to make a regular trip to the clerk's office each time she needs to make her occasional visit to the ward web site in order to recover her forgotten password.

I also wanted to point out that a trip to the Clerks' office is not necessary to reset a password on the Local Unit Websites.

AArnott
New Member
Posts: 13
Joined: Sun Feb 04, 2007 4:25 pm

Postby AArnott » Sat Oct 11, 2008 8:11 am

Wow, several responses so quickly! Thanks.

mkmurray wrote:take that info and then add the "Yes, he/she is a member" info to it, now you have some dangerous privacy concerns. Anyone could hit this service over and over and try to compile a list of members of the Church. We definitely don't want enemies to the Church to have such a list.


I think one of the details of my original post got lost in its length. This Church service that would assert a person's membership could and probably would respond only two a select list of web sites. For example, if tech.lds.org and the ward web sites were hosted on different servers, and perhaps in different warehouses, the lds.org site would answer requests from tech.lds.org regarding membership. But of course the Church wouldn't want to answer just any client request that comes in. I agree, for the reasons you give.

So I don't see this capability alone as being a block to adoption since it can be finely controlled or altogether turned off without throwing out the whole technology.

Regarding it helping the Church, actually I was driving at how it would help the members. OpenID is about making browsing the web more convenient for the people and more secure at the same time. That said, the Church would see some benefits from adopting OpenID. For example, their users can (and may even be required to) have an even stronger login credential than a username and password. It's a move in the right direction for all the Church's own web sites to have one account, but then you have BYU.edu, which has it's own SSO, and then you have LDS Business College, and then... See, so many organizations have their own SSO, both inside and outside the Church.

The Church could avoid a lot of cost and time by adopting OpenID instead of inventing SSO in so many sub-organizations. Even if it invented it and managed to get it adopted across everything, that would still be a much larger effort than just getting everyone to adopt OpenID and then using OAuth to allow verification of membership where the Church saw it as appropriate, if ever.

User avatar
WelchTC
Senior Member
Posts: 2088
Joined: Wed Sep 06, 2006 7:51 am
Location: Kaysville, UT, USA
Contact:

Postby WelchTC » Mon Oct 13, 2008 8:20 am

OpenID and OpenAuth are being reviewed as part of the future of LDSAccount. I can't give further details than that.

Tom

AArnott
New Member
Posts: 13
Joined: Sun Feb 04, 2007 4:25 pm

Postby AArnott » Mon Oct 13, 2008 8:49 pm

Hi Tom,

Thanks for the clue. Since the Church is already considering it, the biggest takeaway I hope you can pass to the Powers That Be is to strongly consider not being an OpenID Provider, but just a relying party.

The security of your users is inversely proportional to the number of Providers they have. Thus every new Provider that a user has to use because it's the only thing they offer decreases the overall security of the system. Besides the fact that instead of making it more convenient for the users by being a relying party so they can use their existing accounts, it becomes Yet Another OpenID provider account that they have no choice but to sign up for. :)

Thanks for listening. I look forward to hearing more.

BTW, I'd be happy to sign an NDA in order to help advise or develop a system the Church just might be considering. :rolleyes: Just send me a private message.

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Postby mkmurray » Thu Nov 06, 2008 3:47 pm

So at Microsoft's PDC Conference last week, they announced a new project codenamed "Geneva" Server. It's a server-side offering to help better complete their CardSpace federation protocol they released two years ago. It appears they are trying to encourage more adoption, as it hasn't been well publicized nor marketed yet.

Anyway, I read an article about this announcement and it stated that Microsoft noticed OpenID and really admired what was being done. Microsoft felt they could improve on its inadequacies however. This is the part that caught my attention and I decided to ask here in this thread how these so-called deficiencies could affect the Church's decision to adopt OpenID or not. Please remember that I'm not necessarily advocating the adoption of CardSpace instead, because I realize CardSpace would probably be considered a proprietary investment (at least from what I can tell; I don't see any mention of the technology being an open-standard outside of the .NET realm).

So here is the deficiency of OpenID named by Microsoft's chief architect of identity Kim Cameron:
Why doesn't Microsoft just use OpenID? "We've been big supporters of OpenID," Cameron said. "It's just another federation protocol. It doesn't use cryptography, it just uses DNS. That means it's subject to all the attacks that DNS is subject to.

"That's OK in certain environments. OpenID because of its nature is phishable. That raises people's consciousness of what is possible. We can also give them solutions like CardSpace."

This quote can be found on the second page of the article found at the following link:
http://www.theregister.co.uk/2008/10/30/microsoft_generva_hailstorm/

So again, my only purpose for bringing this up is to discuss what could be a real sensitive security issue if the Church were to utilize OpenID. If you respond to my comments, please keep it focused on the OpenID protocol itself and any strengths or weaknesses this technology would bring to the Church should it be adopted. I also wouldn't mind a little input from those working at the Church who have investigated this possibility; I would be most interested in what they have found out so far and how it relates to the Church's current identification and authorization needs. :)

AArnott
New Member
Posts: 13
Joined: Sun Feb 04, 2007 4:25 pm

Postby AArnott » Thu Nov 06, 2008 4:27 pm

mkmurray,

OpenID's deficiencies that you quoted are not deficiencies in the protocol as much as in common implementations. If OpenIDs use HTTPS then they are every bit as secure as Cardspace in terms of DNS poisoning attacks. OpenID does not mandate use of HTTPS though, and thus many sites don't force use of it to protect their users' security.

Then there's the phishing aspect. If a site manages to phish the a user's credentials to their OpenID Provider, then they have the keys to that user's world. There are many ways to mitigate this, but my favorite is already available and is bulletproof: Cardspace. That's right: use OpenID to log into the world, and use Cardspace to log into your OpenID Provider and you (the end user) are absolutely phishing proof. Plus you (the end user) have the convenience of being able to log into any web site that accepts OpenID, which is quite a few more web sites than that accept Cardspace at this point.
For more OpenID+Cardspace information, see my own blog post or Kim Cameron's post on the subject:
http://blog.nerdbank.net/2007/07/finally-openid-provider-that-takes.html
http://www.identityblog.com/?p=923

What does all this mean for the Church and its members? Well, the Church could accept OpenID logins, and require that HTTPS be used throughout the OpenID discovery and authentication process. Doing so is not an abberation from the spec, in fact the spec suggests it for high security scenarios. This protects the Church and its users from DNS poisoning attacks and other issues.
To solve the phishing problem, the Church has a few options. First, it can use a whitelist of OpenID Providers so that only OpenIDs issued by providers that are known to be phishing-resistant are allowed. For example, myopenid.com and myvidoop.com are OpenID Providers with phishing resistance included. Myopenid.com in particular allows for Cardspace and X.509 certificate login, making it absolutely phishing proof, if the user chooses that login option. The Church can use the PAPE extension to require the user to log in using a phishing resistant/proof mechanism, thus protecting its secure assets from attackers.

This may sound like a bunch of hoops to jump through, but it's really pretty straightforward assuming a background of good understanding of the OpenID protocol and the relevant extensions. I'd be happy to delve into more detail if you wish.

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Postby mkmurray » Thu Nov 06, 2008 6:55 pm

That's very interesting. Thank you for posting. I hope the Church finds these little tidbits interesting as they are considering the protocol. I bet if they have further questions, they may very well PM or email you.

As a side note, I found it funny you were able to find more information from the same guy I quoted in my post. It appears he must be the Cardspace expert. :)


Return to “Other Member Technologies”

Who is online

Users browsing this forum: No registered users and 1 guest