[OpenID] OpenID for desktop network clients

Troy Benjegerdes hozer at hozed.org
Wed Mar 21 04:23:28 UTC 2007

I'm starting to think that someone needs to write a SASL OpenID auth
module. If someone wrote an OpenID module for cyrus-sasl, there would be
at least 1 imap server, and a couple of email clients that could use
OpenID.. which would be quite a nice trick.

OSX Keychain is the 'keeper of secrets' so to speak for an OSX machine,
and Apple has done their due diligence to make sure that the password to
unlock the keychain is going to be well protected. iChat passwords go
into the keychain. If you somehow add OpenID support to the AIM
protocol, the keychain should probably play some part.

Active directory is maybe not completely relevant, but it would be good
for openid developers to understand how SPNEGO works.

On Tue, Mar 20, 2007 at 07:40:46PM -0700, Gabe Wachob wrote:
> I think your missing the point here.
> I'm authenticating to a service on the network,that happens to have a client
> on my desktop which is not a browser.
> That service is not in an enterprise - again, think IM clients (other than
> the MS one). I *want* to be identified with my OpenID, I *want* others to
> know me on that service by my OpenID.
> I don't see how SASL and Active Directory or OSX keychain are even relevant
> here. 
> 	-Gabe
> > -----Original Message-----
> > From: Troy Benjegerdes [mailto:hozer at hozed.org]
> > Sent: Tuesday, March 20, 2007 7:18 PM
> > To: Gabe Wachob
> > Cc: general at openid.net
> > Subject: Re: [OpenID] OpenID for desktop network clients
> > 
> > On Tue, Mar 20, 2007 at 06:36:26PM -0700, Gabe Wachob wrote:
> > > I blogged an idea that I implemented to allow a user to authenticate to
> > a
> > > desktop client for a "network app" (think  of an IM client) - the idea
> > is to
> > > present an openid to a desktop client and then have it, in concert with
> > the
> > > server-side component of the app, use normal OpenID authentication
> > through
> > > the user's browser to authenticate the user to both the server side and
> > to
> > > the desktop client:
> > >
> > >
> > >
> > > http://blog.wachob.com/2007/03/openid_for_desk.html
> > >
> > >
> > >
> > > I have a basic implementation - looking for holes in the idea. Probably
> > not
> > > a novel idea, but I didn't recall seeing any write-up or implementation
> > of
> > > this anywhere.
> > 
> > 
> > I guess I don't understand why you'd want to do this.... OpenID seems
> > very http-centric, and if you are talking about desktop apps, you would
> > be better served by something like SASL, or the kind of stuff that
> > happens under the hood in an MS active directory domain with Kerberos.
> > 
> > What I like is having several computers that can all authenticate to a
> > kerberos server and get access to my files and home directory.. this
> > covers the desktop side. What's missing for me is being able to
> > automagically be logged into my openid server once I am logged into my
> > desktop environment.
> > 
> > Or let's take the case of a mac user.. They log into their macbook,
> > which unlocks the OSX Keychain, which handles most OSX applications
> > nicely. The keychain should then know something about coordinating with
> > the browser to be able to auto-fill in openid web forms.
> > 
> > I guess the point I'm trying to make is that while you want an
> > integrated single sign-on environment that openid is part of, extending
> > it to the desktop seems like putting a square peg in a round hole,
> > especially since there are so many other solutions on the desktop.

Troy Benjegerdes                'da hozer'                hozer at hozed.org  

Somone asked me why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz

More information about the general mailing list