sceneid.net: OpenID fairy dust for the demoscene
category: general [glöplog]
Good evening. I'm Hiram Q. Gasman, and I'm here to tell you about the wonders of OpenID.
OpenID is a bit like SceneID (you know, the login you use to sign into Pouet), in that it's a system for sharing one user account across multiple sites - except that it's decentralised, so anyone can set themselves up as a provider of OpenID accounts, without it having to go through a central authority - and anyone can set up a site to allow people to log in with their OpenID account. It's designed so that you only have to share your password with your chosen OpenID provider, so you don't have to trust every random site you log into to not steal your password.
And now you - the demoscener - can join in the mass ID-sharing orgy! sceneid.net is a brand new service which provides OpenIDs based on SceneID authentication - in other words, if you own a SceneID account you now have an OpenID waiting for you. Your OpenID is a URL of the form:
[your-sceneid-username].sceneid.net
- for example, mine is gasman.sceneid.net . (I don't know what'll happen if you have any spaces or other weird characters in your username, or whether SceneID even allows you to have a username like that...)
To use it, you can either log in with your SceneID at http://sceneid.net/, or just go straight to an OpenID-enabled site (WikiTravel will do if you don't have any better ideas), enter your OpenID URL, and follow all the prompts.
(Note: When using OpenID, the one and only site you need to trust not to do anything evil with your password is the OpenID provider - which, in the case of sceneid.net, is me. If you have a problem with this, don't use it. But then I do have admin access to Pouet, which means that if you're reading this, you're probably already trusting me not to steal your password.)
"Big fucking deal!" I hear you cry. "So now I can use my SceneID password to log in to a bunch of irrelevant websites that I've never used!" Ah, but just wait until demoscene sites start supporting OpenID. (Demozoo will be doing this fairly soon...) This would be a very good thing, for a couple of reasons:
Firstly, it's generally going to be an easy thing for website owners to do. OpenID is becoming a bit of an industry standard, so there's a whole load of example code and libraries to handle it - for some out-of-the-box website packages like Drupal and MediaWiki, you just need to drop a module into place, whereas with SceneID, you'd have to do a lot more fiddling around with custom PHP code. And because it's decentralised, you don't need to arrange anything with scene.org either. And that means that we could have a lot more sites using it - think SceneWiki, IN4K... Partymeister?
Secondly, it means that if scene.org goes down again (heaven forbid), the web presence of the demoscene doesn't *completely* grind to a halt... sites hosted on scene.org itself (such as Pouet) would disappear of course, and anything requiring SceneID logins would fall over (including sceneid.net), but sites with OpenID support would still work - people could sign up with alternative OpenID providers and log in with those accounts instead.
So have fun with your OpenIDs everyone, and if you're a website owner who thinks this would be a neat thing to support if it wasn't so damn confusing, get in touch and I'll do my best to answer any questions. (Oh, and if anyone from scene.org has any objection to me brazenly rushing ahead and registering sceneid.net without asking them, feel free to get in touch to discuss that sort of thing too. I did try contacting the appropriate channels, but couldn't get a response - the SceneID mailing list seems to be a bit dead, or at least refusing to talk to me...)
OpenID is a bit like SceneID (you know, the login you use to sign into Pouet), in that it's a system for sharing one user account across multiple sites - except that it's decentralised, so anyone can set themselves up as a provider of OpenID accounts, without it having to go through a central authority - and anyone can set up a site to allow people to log in with their OpenID account. It's designed so that you only have to share your password with your chosen OpenID provider, so you don't have to trust every random site you log into to not steal your password.
And now you - the demoscener - can join in the mass ID-sharing orgy! sceneid.net is a brand new service which provides OpenIDs based on SceneID authentication - in other words, if you own a SceneID account you now have an OpenID waiting for you. Your OpenID is a URL of the form:
[your-sceneid-username].sceneid.net
- for example, mine is gasman.sceneid.net . (I don't know what'll happen if you have any spaces or other weird characters in your username, or whether SceneID even allows you to have a username like that...)
To use it, you can either log in with your SceneID at http://sceneid.net/, or just go straight to an OpenID-enabled site (WikiTravel will do if you don't have any better ideas), enter your OpenID URL, and follow all the prompts.
(Note: When using OpenID, the one and only site you need to trust not to do anything evil with your password is the OpenID provider - which, in the case of sceneid.net, is me. If you have a problem with this, don't use it. But then I do have admin access to Pouet, which means that if you're reading this, you're probably already trusting me not to steal your password.)
"Big fucking deal!" I hear you cry. "So now I can use my SceneID password to log in to a bunch of irrelevant websites that I've never used!" Ah, but just wait until demoscene sites start supporting OpenID. (Demozoo will be doing this fairly soon...) This would be a very good thing, for a couple of reasons:
Firstly, it's generally going to be an easy thing for website owners to do. OpenID is becoming a bit of an industry standard, so there's a whole load of example code and libraries to handle it - for some out-of-the-box website packages like Drupal and MediaWiki, you just need to drop a module into place, whereas with SceneID, you'd have to do a lot more fiddling around with custom PHP code. And because it's decentralised, you don't need to arrange anything with scene.org either. And that means that we could have a lot more sites using it - think SceneWiki, IN4K... Partymeister?
Secondly, it means that if scene.org goes down again (heaven forbid), the web presence of the demoscene doesn't *completely* grind to a halt... sites hosted on scene.org itself (such as Pouet) would disappear of course, and anything requiring SceneID logins would fall over (including sceneid.net), but sites with OpenID support would still work - people could sign up with alternative OpenID providers and log in with those accounts instead.
So have fun with your OpenIDs everyone, and if you're a website owner who thinks this would be a neat thing to support if it wasn't so damn confusing, get in touch and I'll do my best to answer any questions. (Oh, and if anyone from scene.org has any objection to me brazenly rushing ahead and registering sceneid.net without asking them, feel free to get in touch to discuss that sort of thing too. I did try contacting the appropriate channels, but couldn't get a response - the SceneID mailing list seems to be a bit dead, or at least refusing to talk to me...)
I logged in, and I'm not ashamed!
does that mean that people who have an openid but no relation to demoscene at all can login to pouet and other demoscene sites? if yes - TO HELL WITH IT. we don't need more trolls around.
Quote:
does that mean that people who have an openid but no relation to demoscene at all can login to pouet and other demoscene sites?
Isn't that already the case? I mean, how on earth would you else explain the existence of fake accounts that users such as Magic and TMB have been accused of taking advantage of? Couldn't just anybody sign up for an account at Pouet.net as it is right now?
sorry in advance if i sound a bit rude.
i do not see for whom this is actually good for, besides for ppl who are not able to remember their nick/password or lazy ones who don't want to type it in ... but there's a "remember me" option on 90% of the sites, so ...
ok, there's the point of "when not using the everyday-machine a "remember me" doesn't help" ... yes, that's true, but using something like openid on a pc that is untrusted (= not mine) should be a definite no-go afterall, don't you think?
so, as for my brain being quite functional in terms of memory and as i am not too lazy to login, could somebody please explain me the advantages i am getting using this? (besides having more not-used-irrelevant-websites which i wouldn't visit even with openid and besides reducing overhead for trolls spamming forums? *g*)
thanks in advance :)
oh btw ... doesn't this mean an individual website wouldn't need individually registered users anymore, but just "the whole crowd" on openid?
i do not see for whom this is actually good for, besides for ppl who are not able to remember their nick/password or lazy ones who don't want to type it in ... but there's a "remember me" option on 90% of the sites, so ...
ok, there's the point of "when not using the everyday-machine a "remember me" doesn't help" ... yes, that's true, but using something like openid on a pc that is untrusted (= not mine) should be a definite no-go afterall, don't you think?
so, as for my brain being quite functional in terms of memory and as i am not too lazy to login, could somebody please explain me the advantages i am getting using this? (besides having more not-used-irrelevant-websites which i wouldn't visit even with openid and besides reducing overhead for trolls spamming forums? *g*)
thanks in advance :)
oh btw ... doesn't this mean an individual website wouldn't need individually registered users anymore, but just "the whole crowd" on openid?
gasman: will you assemble some sort of api for other sites explaining/examplifying how to implement it on their sites? we had something similar for sceneID but was still quite abit messy to handle from the feedback i heard..
One little question about OpenID... How to manage the potential of huge amounts of spam?
If anyone can be a ID provider, that must open up for John Doe the spammer to act bas a provider and create a dozen of accounts and spam away at all OpenID enabled sites he can find. Or did I miss anything?
If anyone can be a ID provider, that must open up for John Doe the spammer to act bas a provider and create a dozen of accounts and spam away at all OpenID enabled sites he can find. Or did I miss anything?
Quote:
How to manage the potential of huge amounts of spam?
Funny to see that coming from you. Not.
Preacher: Shut up. There are two kinds of spam: "Any excessive pointless posting" and "Computer automated commercial posting". I'm wondering whether the OpenID system has some sort of way of dealing with the latter.
nitro, the point is that you obviously don't care if all users of a site like this are annoyed the crap out of by excessive amounts of bullshit, be they laptop images or viagra ads. as such, you have no right to speak - you are part of the problem.
actually, true that there are two kinds of spam, both are bad in their ways, but what's worse is to see the very spam being spread by the sceners hurt much more than a fuckingly routine excessive spamming. Because, when an "automated computer" does it, you know that it's a programmed machine and you can fuck it easily, but when an actual guy does it, and even if that guy is trying to be the part of the subculture that we call scene, i'm sure many of us would be sorry for that guy. because it's like, the guy whom i thought to carry a brain ; becoming and obviously acting as stupid as that automated spam machine.
so seriously, nitro you can't talk on "excessive spamming", not because you literally can't but because you shouldn't and also mustn't when peek'd a look to your situation from an eloborate point of view.
so seriously, nitro you can't talk on "excessive spamming", not because you literally can't but because you shouldn't and also mustn't when peek'd a look to your situation from an eloborate point of view.
ps: OpenID's libraries page list a few implementations. For instance the EasyOpenID - consumer, based on JanRain seems simple to add on a site.
The 2 advantages I see in using OpenID on Pouet and any other demoscene site are:
1. one login for all the sites
2. easier to see trusted users ( no retard/trool/attentionWho can pretend to be you )
1. of course could be done using scene.org ID, but Open ID seem to make it easier
2. Sure today you can check the user ID ( the UID of a user in Pouet's DB ) to see if a user Name is the original person or a retard trying to be funny.
The 2 advantages I see in using OpenID on Pouet and any other demoscene site are:
1. one login for all the sites
2. easier to see trusted users ( no retard/trool/attentionWho can pretend to be you )
1. of course could be done using scene.org ID, but Open ID seem to make it easier
2. Sure today you can check the user ID ( the UID of a user in Pouet's DB ) to see if a user Name is the original person or a retard trying to be funny.
skrebbel: lol.
on topic: I think that this OpenID stuff, or be it the MSN version of that or whatever seems to be useless and dangerous (red: utter bullshit). I can remember my password for the sites I use, and I usually change them in some intervals. That "OneIDtoRuleThemAll" approach never really had anything attractive for me... I dont mind logging in more than once/one site a day. At least I won't forget my passwords then ;)
...just my 50ct...
on topic: I think that this OpenID stuff, or be it the MSN version of that or whatever seems to be useless and dangerous (red: utter bullshit). I can remember my password for the sites I use, and I usually change them in some intervals. That "OneIDtoRuleThemAll" approach never really had anything attractive for me... I dont mind logging in more than once/one site a day. At least I won't forget my passwords then ;)
...just my 50ct...
...well, I have cookies enabled and am logged in "for a year"... Maybe I shouldn't rant about security :/
After all there are some advantages, yeah, but what about somebody finding out/stealing your password? The harm could be much bigger with OpenID...
And about trusted users. Look at my account. My real name's not there still I (mostly) behave like a sane person. How would you check IDs? Do I need to send a copy of my german ID to gasman to register? IMHO that would'nt change anything about fake accounts etc.
After all there are some advantages, yeah, but what about somebody finding out/stealing your password? The harm could be much bigger with OpenID...
And about trusted users. Look at my account. My real name's not there still I (mostly) behave like a sane person. How would you check IDs? Do I need to send a copy of my german ID to gasman to register? IMHO that would'nt change anything about fake accounts etc.
Haha. You guys. >D
Srsly though, Nitro's question was sincere and relevant - if any site can authenticate users, couldn't a spammer just join the network, using his own site to authenticate a bunch of scripts roaming around other sites? Surely something the people behind OpenID must've thought about, so what measures have they taken to prevent it?
And also, stop trying to destroy anonymity on the intarwebs. There's already way too much tracking and logging and shit going on.
Srsly though, Nitro's question was sincere and relevant - if any site can authenticate users, couldn't a spammer just join the network, using his own site to authenticate a bunch of scripts roaming around other sites? Surely something the people behind OpenID must've thought about, so what measures have they taken to prevent it?
And also, stop trying to destroy anonymity on the intarwebs. There's already way too much tracking and logging and shit going on.
I'm fully against the idea.
The minute you subscribe to an ISP, there is no anonymity on the web anymore.
Lots of unanswered questions in this one.
Its a well-known fact that any kind of "single sign-on" method (or, in this case: "single-user-that-will-let-you-sign-on-pretty-many-places") demands a very high level of integrity and also quite a big level of control from the providers of the single sign-on method.
If the objective is to keep out commercial spam, then there already must have included some automated method to control this, as Doom already mentioned - otherwise, don't bother implementing OpenID.
However, to keep out spam entirely, you need to monitor traffic and users - do you really want to monitor users? How do you intend on doing this? Isn't there just a tad more security in maintaining your already-existing-and-perhaps-not-so-standard user account solution, since it requires a higher level og manual labor when having to create user accounts and already there rule out a lot of the possible automated spamming "entities"?
I'm starting to see what dipswitch is afraid of and since we already have SceneID, which works OK (for me, at least), I really can't see the point of opening the door to such an amount of potential threats to the rather great scene sites we have.
Its a well-known fact that any kind of "single sign-on" method (or, in this case: "single-user-that-will-let-you-sign-on-pretty-many-places") demands a very high level of integrity and also quite a big level of control from the providers of the single sign-on method.
If the objective is to keep out commercial spam, then there already must have included some automated method to control this, as Doom already mentioned - otherwise, don't bother implementing OpenID.
However, to keep out spam entirely, you need to monitor traffic and users - do you really want to monitor users? How do you intend on doing this? Isn't there just a tad more security in maintaining your already-existing-and-perhaps-not-so-standard user account solution, since it requires a higher level og manual labor when having to create user accounts and already there rule out a lot of the possible automated spamming "entities"?
I'm starting to see what dipswitch is afraid of and since we already have SceneID, which works OK (for me, at least), I really can't see the point of opening the door to such an amount of potential threats to the rather great scene sites we have.
Quote:
The minute you subscribe to an ISP, there is no anonymity on the web anymore.
That's why god invented wireless ;)
Ahaha, Nitro complaining about spam, nice one, really. Also, what Skrebbel and Preacher said.
OpenID seems to be extremely hellbent on emphasizing user discretion, but I see very little to prevent the phising potential and spamming abuse other people have already pointed out.
No time right now to give the full comprehensive answer that the above discussion really demands - 'course, the thing about OpenID is that those questions have been asked and answered elsewhere quite a lot already...
I think the main thing to make clear is that OpenID isn't designed to completely replace the registration process on individual sites, unless those sites really want it to. Essentially OpenID just does the authentication - proving that person X is the owner of URL Y. (It does have some support for exchanging basic profile details like name and email address too, but that's an optional extra feature that sits on top of OpenID itself). From what I understand, it's fairly standard practice for OpenID-enabled sites to present incoming users with a traditional registration form, minus the password field and possibly with name/email etc prefilled if available. Beyond that, sites can do whatever CAPTCHA-testing / email validation they want. As a result, I'd say that it wouldn't really be any easier or harder for spammers / trolls / n00bs to get through than it is at present.
OpenID itself doesn't attempt to establish the trustworthiness / non-spamminess of users, only that they own the URL they say they own. However, there are a bunch of smart people currently working out how to implement trust networks on top of OpenID, so it could happen in future.
Advocacy aside, my motivation for this is really just that it solves a technical problem on Demozoo, namely allowing people to use their existing SceneID accounts while not tying me to a single point of failure that I have no control over. If it can solve similar problems on other scene sites, then that's great... otherwise I'm happy to forge ahead and use Demozoo as the experimental guinea-pig until it's clear whether the advantages outweigh the possible pitfalls.
I think the main thing to make clear is that OpenID isn't designed to completely replace the registration process on individual sites, unless those sites really want it to. Essentially OpenID just does the authentication - proving that person X is the owner of URL Y. (It does have some support for exchanging basic profile details like name and email address too, but that's an optional extra feature that sits on top of OpenID itself). From what I understand, it's fairly standard practice for OpenID-enabled sites to present incoming users with a traditional registration form, minus the password field and possibly with name/email etc prefilled if available. Beyond that, sites can do whatever CAPTCHA-testing / email validation they want. As a result, I'd say that it wouldn't really be any easier or harder for spammers / trolls / n00bs to get through than it is at present.
OpenID itself doesn't attempt to establish the trustworthiness / non-spamminess of users, only that they own the URL they say they own. However, there are a bunch of smart people currently working out how to implement trust networks on top of OpenID, so it could happen in future.
Advocacy aside, my motivation for this is really just that it solves a technical problem on Demozoo, namely allowing people to use their existing SceneID accounts while not tying me to a single point of failure that I have no control over. If it can solve similar problems on other scene sites, then that's great... otherwise I'm happy to forge ahead and use Demozoo as the experimental guinea-pig until it's clear whether the advantages outweigh the possible pitfalls.
well it gets a big thumbs up from me
I support gasman's guinea-pig idea \o/
hm, logging in didn't work for me... :(
but in general, i really appreciate this idea! I'm someone who likes the idea of sharing one account for several sites, i'd even like to see more sites that support the SceneID, so i don't have to maintain several accounts all over the scene...
but in general, i really appreciate this idea! I'm someone who likes the idea of sharing one account for several sites, i'd even like to see more sites that support the SceneID, so i don't have to maintain several accounts all over the scene...
