There is clearly some demand for a password repository site done right. I myself would like a simple system that automatically saves/restores my information using a bookmarklet and allows me to login to the service with my OpenID. One fairly bad example is Clipperz which I was referred to by the creator (Marco Barulli) who I actually didn’t meet but did photograph at OpenCoffee.

The problem of Clipperz is probably not the technique, but definitely the way it was presented (although I do wonder if saving all the secure information in your browser is that save). The Clipperz site gives me a very big *nix feel as it keeps stating what kind of crypto technology is behind it, uses concepts like cards to save scripts, and requires users to “review their code”.

From a user perspective the whole work flow is very tedious, amazingly complex, and really doesn’t provide a single-click sign-on. I think the concept is very good and probably more secure than my idea, but I think they really need a designer and usability expert to help them enable simple users to use this. I did get some nice information about how a system like this works so if will ever implement my own system than I will use some of these basic concepts.

My favourite OpenID provider MyOpenID.com has recently launced a new look. I noticed it when I wanted to use my OpenID while I was not loged in yet to the server. There used to be a very ugly, grey, screen that would tell you to log in and I remember thinking that most people wouldn’t understand the page or trust it. The new page is very nice and has recognizable colours and branding.

I was wondering if it isn´t possible to combine techniques like OpenID and GenPass to create a sort of OpenID login for sites that don´t actually have an OpenID login.

The idea of a proxy server like this would be to automatically create an account for you on a site that it recognizes and so allowing you to login transparently using your OpenID provider. This idea could be implemented by sites like ClaimID who already provide more than just OpenID. I think it would actually be pretty easy and I might give it a try when I get my MacBook back from Apple. On the other hand maybe Simon Willison should give this a try with his OpenID provider idproxy.net.

Obviously this technique would only be a hack as I believe that any small site should provide an OpenID login. On the other hand, as many sites run the same software (Wordpress, Drupal, etc) it would not be diffucult to create a proxy server that can automatically generate accounts the most common systems on the web if necessary.

I am wondering if the following procedure allows people to login with other people’s OpenID. The idea came to me when I heard about someone who made an OpenID server that would return as if the user was logged in no matter what user. Obviously this technique would only be annoying to the person who uses it, but this next one might affect others.

Let me paint you a picture of what I think could be done. I know Alper’s OpenID is http://alper.nl because I can see this on multiple sites and he even told me. Now let’s say I want to log in to his account at some site, without being logged in to his OpenID server. Obviously, when I try to login to that site with his OpenID, it would redirect to his OpenID server, which would not recognize me as a valid user.

Now let’s try something else: What if I would change my Hosts file (/etc/hosts on linux and mac) and make an entry for alper.nl, and have that direct to let’s say localhost? I could probably spoof the website I want to login to that I am redirecting to http://alper.nl while I’m actually not. Now that I have this I could run a server on my localhost that would return a valid response no matter who I am, or I could even delegate to my own OpenID server.

I haven’t tried this out, but I am very interested if there is any protection against these kind of measures. I hope, and expect, there is but I couldn’t find the answer anywhere. I even mailed Simon Willison for his advice, but I haven’t heard anything yet.

Want to setup your own openid on your own URL? This is how you can do this using the concept of delegation:

1. Go to MyOpenID and register your OpenID with your username (<ID>).
2. Put the following code in the header of the site that you ACTUALLY want to use as openid (for example http://myname.net):
   
<link rel="openid.server" href="http://www.myopenid.com/server" />
<link rel="openid.delegate" href="http://<ID>.myopenid.com/" />
<meta http-equiv="X-XRDS-Location" content="http://<ID>.myopenid.com/xrds" />

3. Don’t forget to replace <ID> with your own ID, and don’t forget the last line which is really needed for MyOpenID.
4. Now you can login to any ite with your own OpenID (for example http://myname.net)

Why would you do this? My reason is that this way I can simply change OpenID provider by just changing this piece of code. The advantage of this again is that if your real provider quits or proves to be unreliable, you can simply switch and still login at any site with your unique OpenID.

A obvious disadvantage is that your server that you use for this delegation code must be reliable. That is why I am thinking of moving this site to dreamhost.