[ANN] NameID - Use namecoin id/ to log into OpenID sites

[sudoquai]

Hi,

Idea: What about integrating NameID Service directly in "namecoin.org" to login with the official Site instead of NameID.org ?

Thx

[domob]

Which service of namecoin.org to "log in" are you talking about? I'm not aware of a login for namecoin.org. But if you mean things like the forum, then this is definitely planned and one of my goals for the future. I just need to find some time to write a phpBB module for NameID logins.

BTW: nameid.org now also displays GPG key fingerprints on identity pages. Take a look at "id/domob" and https://nameid.org/?name=domob to see it in action.

[sudoquai]

Hi,

ah maybe i was not clear enough. An example: https://namecoin.org/?name=domob instead https://nameid.org/?name=domob.

[domob]

ah maybe i was not clear enough. An example: https://namecoin.org/?name=domob instead https://nameid.org/?name=domob.

Ok, I see, I really didn't get you last time. That's nothing I have thought about so far, and it is not in my control - the owner of namecoin.org (which is not the official site, BTW) would need to implement it. Since NameID is a free project, everyone can set up their own server to provide this service using my code.

It would also be possible to set up OpenID delegation by just inserting a few lines of code to redirect namecoin.org OpenID-logins to nameid.org, I think, but also that's nothing I've been thinking about myself so far. In the end, the goal should be to get rid of OpenID and authentication servers anyway, and support Namecoin logins at each webservice directly.

[biolizard89]

I've updated the server as well as the Firefox extension to support "signer". A more detailed reply has been posted in this thread at forum.namecoin.org. (Not sure which forum to prefer at the moment, though.)

Any chance you can post it here, since it looks like this will remain the official forum for the time being?

[domob]

I've updated the server as well as the Firefox extension to support "signer". A more detailed reply has been posted in this thread at forum.namecoin.org. (Not sure which forum to prefer at the moment, though.)

Any chance you can post it here, since it looks like this will remain the official forum for the time being?

Yes, that's probably due with the current situation. It's not much, though: Take a look at id/domob (simplified below):

Code: Select all

{
    "name" : "id/domob",
    "value" : "{\"signer\":\"NDgQyGeyTdoopvbUD14GR536FmDiv6esuU\"}",
    "txid" : "5e0a84f3a8722924b63cd508fb3eb0bff0f3b90691f0680266b09def5c3ea763",
    "address" : "NBNfCNHWa2HZqnjVSpavcUXRefUbNPP7Jj",
    "expires_in" : 34863
}

Earlier, NameID messages could only be signed by NBNfCNHWa2HZqnjVSpavcUXRefUbNPP7Jj in order to be accepted. Now, if a "signer" field is present, you can also use NDgQyGeyTdoopvbUD14GR536FmDiv6esuU for login. The signer value can be a single address string, or an array of addresses, in which case any of those plus the address holding the name itself are allowed to sign on behalf of the identity.

That way, you can use a hot wallet with just an address but without either coins or names on "insecure" computers as login, and should it get compromised, you have to update your identity but don't lose the name. I already do this, and it works great! That's basically all - you can try it out and let me know what you think. It is supported by both the server and the add-on already.

[biolizard89]

Awesome, nice work domob.

It might be useful to eventually remove support for using the name owner, since the signer field encourages good security culture. Prior to doing so, maybe have nameid.org show a warning for a couple months when you login using the old method, saying it will be removed soon. Thoughts?

[domob]

Awesome, nice work domob.

It might be useful to eventually remove support for using the name owner, since the signer field encourages good security culture. Prior to doing so, maybe have nameid.org show a warning for a couple months when you login using the old method, saying it will be removed soon. Thoughts?

Yes, you're right that it is better security practice to only use signer (as I'll do myself from now on). However, I'm not sure about removing the old option. It may confuse people, and may be useful to allow logins also for names that have invalid JSON / no signer field set; otherwise it gets even more complicated to get a Namecoin ID than it already is with registering a name. So my opinion is that we should leave it like this for now. I might nevertheless display a warning at some point in the future just mentioning that they may want to look into signer, and possibly write a FAQ about it or something where I can link to.

BTW, do we already know how to go forward with the wiki? I volunteer to rewrite the wiki page about id/ names, describing all things supported by NameID (various possible values, GPG keys, signer) in the up-to-date version.

[khal]

BTW, do we already know how to go forward with the wiki? I volunteer to rewrite the wiki page about id/ names, describing all things supported by NameID (various possible values, GPG keys, signer) in the up-to-date version.

- github wiki seems too limited
- dot-bit wiki needs a new wiki

For now, I've blocked new registrations, edit, new pages unless high privileges.
Do you have a wiki account ?
If not, I'll create one for you.

I just moved the "bitmessage" part in the "registered" applications.

[domob]

BTW, do we already know how to go forward with the wiki? I volunteer to rewrite the wiki page about id/ names, describing all things supported by NameID (various possible values, GPG keys, signer) in the up-to-date version.

- github wiki seems too limited
- dot-bit wiki needs a new wiki

For now, I've blocked new registrations, edit, new pages unless high privileges.
Do you have a wiki account ?
If not, I'll create one for you.

No, I don't yet have an account (at least I think so). But no need to hurry, I'll only have time in a few days at the earliest anyway. This is more a mid-term plan of mine and not urgent.