OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities. Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication. The OpenID standard provides a framework for the communication that must take place between the identity provider and the OpenID acceptor (the ‘relying party’). An extension to the standard (the OpenID Attribute Exchange) facilitates the transfer of user attributes, such as name and gender, from the OpenID identity provider to the relying party (each relying party may request a different set of attributes, depending on its requirements).
The OpenID protocol does not rely on a central authority to authenticate a user's identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).
The term OpenID may also refer to an identifier as specified in the OpenID standard; these identifiers take the form of a unique URI, and are managed by some 'OpenID provider' that handles authentication.
OpenID enables an End-user, the entity that wants to assert a particular identity, to communicate with a Relying party, the site that wants to verify the end-user's identifier. Other terms for this party include "service provider" or the now obsolete "consumer". This communication is done through the exchange of an Identifier or OpenID, which is the URL or XRI chosen by the end-user to name the end-user's identity. An Identity provider or OpenID provider (OP) , which is a service that specializes in registering OpenID URLs or XRIs, provides the OpenID authentication (and possibly other identity services). The exchange is enabled by a User-agent, which is the program (such as a browser) used by the end-user to communicate with the relying party and OpenID provider.
The end-user interacts with a relying party (such as a website) that provides a means by which to specify an OpenID for the purposes of authentication; an end-user typically has previously registered an OpenID (e.g.
alice.openid.example.org) with an OpenID provider (e.g.
The relying party typically transforms the OpenID into a canonical URL form (e.g.
- With OpenID 1.0, the relying party then requests the HTML resource identified by the URL and reads an HTML link tag to discover the OpenID provider's URL (e.g.
http://openid.example.org/openid-auth.php). The relying party also discovers whether to use a delegated identity (see below).
- With OpenID 2.0, the relying party discovers the OpenID provider URL by requesting the XRDS document (also called the Yadis document) with the content type
application/xrds+xml; this document may be available at the target URL and is always available for a target XRI.
There are two modes in which the relying party may communicate with the OpenID provider:
checkid_immediate, in which the relying party requests that the OpenID provider not interact with the end-user. All communication is relayed through the end-user's user-agent without explicitly notifying the end-user.
checkid_setup, in which the end-user communicates with the OpenID provider via the same user-agent used to access the relying party.
checkid_immediatemode can fall back to the
checkid_setupmode if the operation cannot be automated.
First, the relying party and the OpenID provider (optionally) establish a shared secret, referenced by an associate handle, which the relying party then stores. If using the
checkid_setupmode, the relying party redirects the user's user-agent to the OpenID provider so the end-user can authenticate directly with the OpenID provider.
The method of authentication may vary, but typically, an OpenID provider prompts the end-user for a password or an InfoCard, and then asks whether the end-user trusts the relying party to receive the necessary identity details.
If the end-user declines the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party with a message indicating that authentication was rejected; the relying party in turn refuses to authenticate the end-user.
If the end-user accepts the OpenID provider's request to trust the relying party, then the user-agent is redirected back to the relying party along with the end-user's credentials. That relying party must then confirm that the credentials really came from the OpenID provider. If the relying party and OpenID provider had previously established a shared secret, then the relying party can validate the identity of the OpenID provider by comparing its copy of the shared secret against the one received along with the end-user's credentials; such a relying party is called stateful because it stores the shared secret between sessions. In contrast, a stateless or dumb relying party must make one more background request (
check_authentication) to ensure that the data indeed came from the OpenID provider.
After the OpenID has been verified, authentication is considered successful and the end-user is considered logged in to the relying party under the identity specified by the given OpenID (e.g.
alice.openid.example.org). The relying party typically then stores the end-user's OpenID along with the end-user's other session information.
To obtain an OpenID-enabled URL that can be used to log into OpenID-enabled websites, a user needs to register an OpenID identifier with an identity provider. Identity providers offer the ability to register a URL (typically a third-level domain, e.g. username.example.com) that will automatically be configured with OpenID authentication service.
Once they have registered an OpenID, a user can also use an existing URL under their own control (such as a blog or home page) as an alias or "delegated identity". They simply insert the appropriate OpenID tags in the HTML or serve a Yadis document.
Starting with OpenID Authentication 2.0 (and some 1.1 implementations), there are two types of identifiers that can be used with OpenID: URLs and XRIs.
XRIs are a new form of Internet identifier designed specifically for cross-domain digital identity. For example, XRIs come in two forms—i-names and i-numbers—that are usually registered simultaneously as synonyms. I-names are reassignable (like domain names), while i-numbers are never reassigned. When an XRI i-name is used as an OpenID identifier, it is immediately resolved to the synonymous i-number (the CanonicalID element of the XRDS document). This i-number is the OpenID identifier stored by the relying party. In this way, both the user and the relying party are protected from the user's OpenID identity ever being taken over by another party as can happen with a URL based on a reassignable DNS name.
Site URL Format Comments AOL openid.aol.com/username ClickPass clickpass.com/public/username Yahoo! me.yahoo.com Yahoo! began allowing their usernames to be used as openIDs beginning January 31, 2008. Yahoo! does not require the username to be passed in the openID string. LiveJournal username.livejournal.com LiveJournal supports OpenID as both a provider and a relying party. But it may mangle the name a bit. For example login the_user would turn into URL the-user.livejournal.com - the underscore turned to dash. MySpace myspace.com/username WordPress username.wordpress.com Blogger username.blogger.com
Google Profile google.com/profiles/username Google uses the generic username "me" as in google.com/profiles/me to use a currently-authenticated account, or to prompt authentication. Google https://www.google.com/accounts/o8/id  Google does not require the username to be passed in the openID string. Verisign username.pip.verisignlabs.com Verisign offers a secure OpenID service, with two-factor authentication, which they call "Personal Identity Provider" Typepad username.typepad.com MyOpenID username.myopenid.com ClaimID claimid.com/username SceneID username.sceneid.net Scene.org third-party OpenID Clavid username.clavid.com Strong Authentication OpenID Provider supporting Password, YubiKey, SMS-OTP, iPhone/Android OTP's, Certificates/Smartcards as well as AXSionics biometric fingerprint reader. Steam steamcommunity.com/openid/ Allows one to use OpenID services with their Steam login and password Orange openid.orange.fr/username or just orange.fr/ Offers OpenIDs to their broadband subscribers, and accepts OpenID to allow non subscriber users to access a subset of services. TonidoOpenID http://username.tonidoid.com/app/openid decentralized & private OpenID provider that allows one to use their tonido url as OpenID. Launchpad launchpad.net/~username See https://help.launchpad.net/YourAccount/OpenID for details. Ubuntu login.ubuntu.com See https://login.ubuntu.com/+description for details. seznam.cz username.id.seznam.cz
xlogon.net http://xlogon.net/username Offers personas for easy access on different required/optional contact info details Hyves hyves.nl A Dutch service. Mixi mixi.jp A Japanese service. Virgilio.it virgilio.it An Italian service. Wirtualna_Polska openid.wp.pl A Polish service. Яndex username.ya.ru or username.some-another-YaRU-domain Yandex is arguably 2nd largest e-mail provider and the largest search provider in Russia. They provide advanced OpenId, where user can also give his e-mail (for reply notification for example), homepage and so one - if he allows it on per-page granularity. Yandex has a set of domains, and the single username applies to all of them - so any domain can be used. List of domains: http://help.yandex.ru/mail/?id=1113395 Mail.ru username.id.mailru-domain.ru Mail.ru is arguably 1st largest public e-mail provider in Russia, also search, blogs, social, etc. They have 4 domains, each user is registered on one of those. So, domain is part is user id, both username AND domain should be accurately keyed in. Domainsare mail.ru + list.ru + bk.ru + inbox.ru
Relying parties and other services
- Yahoo! is an OpenID Relying Party as well.
- Flickr is an OpenID Relying Party.
- tripit is an OpenID Relying Party.
- Amazon uses OpenID Protocol to authenticate the user.
- Other services accepting OpenID as an alternative to registration include Wikitravel, photo sharing host Zooomr, identity aggregator ClaimID, calendar booking Bookwhen, icon provider IconBuffet, user stylesheet repository UserStyles.org, Music Xray.
- The Stack Exchange Network uses OpenID as the only login option, but also provides an own OpenID provider (which is not directly connected to the user accounts on the network).
- Luxsci is both an OpenID consumer and provider.
- Facebook supports OpenID 2.0, allowing an existing account to have an OpenID associated as an alternative login method. Facebook connect provides an API for other websites to leverage Facebook logins.
- As of version 2, Simple Machines Forum allows the administrator to allow registration using an OpenID.
- RCDevs provides an OpenID 2.0 server, allowing users to authenticate with OpenOTP SMSOTP, MailOTP, Soft Tokens... alternative login method. Details about RCDevs OpenID and OpenOTP at http://www.rcdevs.com/.
Some of the companies (especially the biggest ones) which did enable OpenID have been criticized for being a provider of OpenID identities to third-party websites, without being an OpenID consumer and allowing credentials of another website to work with their own websites. (For example, logging into Yahoo! through Windows Live credentials).
The OpenID Foundation is a 501(c)(3) non-profit organization incorporated in the United States. The OpenID Foundation was formed to help manage copyright, trademarks, marketing efforts and other activities related to the success of the OpenID community.
The OpenID Foundation's board of directors has eight community members and seven corporate members:
The OpenID trademark in the United States was assigned to the OpenID Foundation in March 2008. It had been registered by NetMesh Inc. before the OpenID Foundation was operational. In Europe, as of August 31, 2007, the OpenID trademark is registered to the OpenID Europe Foundation.
Since the original announcement of OpenID, the official site has stated:Nobody should own this. Nobody's planning on making any money from this. The goal is to release every part of this under the most liberal licenses possible, so there's no money or licensing or registering required to play. It benefits the community as a whole if something like this exists, and we're all a part of the community.—
Sun Microsystems, VeriSign and a number of smaller companies involved in OpenID have issued patent non-assertion covenants covering OpenID 1.1 specifications. The covenants state that the companies will not assert any of their patents against OpenID implementations and will revoke their promises from anyone who threatens, or asserts, patents against OpenID implementors.
Security and phishing
Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks. For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.
In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party. This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for OpenID Providers to inform the Relying Parties which policies were actually used."
Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.
Another important vulnerability is present in the last step in the authentication scheme: the redirect-URL from the Identity Provider to the Relying Party. The problem with this redirect is the fact that anyone who can obtain this URL (e.g. by sniffing the wire) can replay it and get logged into the site as the victim user. Some of the Identity Providers use nonces (number used once) to allow a user to log into the site once and fail all the consecutive attempts. The nonce solution works if the user is the first one to use the URL. However a fast attacker who is sniffing the wire can obtain the URL and immediately reset a user's TCP connection (as an attacker is sniffing the wire and knows the required TCP sequence numbers) and then execute the replay attack as described above. Thus nonces only protect against passive attackers but cannot prevent active attackers from executing the replay attack.
The original OpenID authentication protocol was developed in May 2005 by Brad Fitzpatrick, creator of popular community website LiveJournal, while working at Six Apart. Initially referred to as Yadis (an acronym for "Yet another distributed identity system"), it was named OpenID after the openid.net domain name was given to Six Apart to use for the project. OpenID support was soon implemented on LiveJournal and fellow LiveJournal engine community DeadJournal for blog post comments and quickly gained attention in the digital identity community. Web developer JanRain was an early supporter of OpenID, providing OpenID software libraries and expanding its business around OpenID-based services.
In late June, discussions started between OpenID users and developers from enterprise software company NetMesh, leading to collaboration on interoperability between OpenID and NetMesh's similar Light-Weight Identity (LID) protocol. The direct result of the collaboration was the Yadis discovery protocol, adopting the name originally used for OpenID. The new Yadis was announced on October 24, 2005. After a discussion at the 2005 Internet Identity Workshop a few days later, XRI/i-names developers joined the Yadis project, contributing their Extensible Resource Descriptor Sequence (XRDS) format for utilization in the protocol.
In December, developers at Sxip Identity began discussions with the OpenID/Yadis community after announcing a shift in the development of version 2.0 of its Simple Extensible Identity Protocol (SXIP) to URL-based identities like LID and OpenID. In March 2006, JanRain developed a Simple Registration (SREG) extension for OpenID enabling primitive profile-exchange and in April submitted a proposal to formalize extensions to OpenID. The same month, work had also begun on incorporating full XRI support into OpenID. Around early May, key OpenID developer David Recordon left Six Apart, joining VeriSign to focus more on digital identity and guidance for the OpenID spec. By early June, the major differences between the SXIP 2.0 and OpenID projects were resolved with the agreement to support multiple personas in OpenID by submission of an identity provider URL rather than a full identity URL. With this, as well as the addition of extensions and XRI support underway, OpenID was evolving into a full-fledged digital identity framework, with Recordon proclaiming "We see OpenID as being an umbrella for the framework that encompasses the layers for identifiers, discovery, authentication and a messaging services layer that sits atop and this entire thing has sort of been dubbed 'OpenID 2.0'. " In late July, Sxip began to merge its Digital Identity Exchange (DIX) protocol into OpenID, submitting initial drafts of the OpenID Attribute Exchange (AX) extension in August. Late in 2006, a ZDNet opinion piece made the case for OpenID to users, web site operators and entrepreneurs.
On January 31, 2007, Symantec announced support for OpenID in its Identity Initiative products and services. A week later, on February 6 Microsoft made a joint announcement with JanRain, Sxip, and VeriSign to collaborate on interoperability between OpenID and Microsoft's Windows CardSpace digital identity platform, with particular focus on developing a phishing-resistant authentication solution for OpenID. As part of the collaboration, Microsoft pledged to support OpenID in its future identity server products and JanRain, Sxip, and VeriSign pledged to add support for Microsoft's Information Card profile to their future identity solutions. In mid-February, AOL announced that an experimental OpenID provider service was functional for all AOL and AOL Instant Messenger (AIM) accounts.
In May, Sun Microsystems began working with the OpenID community, announcing an OpenID program, as well as entering a non-assertion covenant with the OpenID community, pledging not to assert any of its patents against implementations of OpenID. In June, OpenID leadership formed the OpenID Foundation, an Oregon-based public benefit corporation for managing the OpenID brand and property. The same month, an independent OpenID Europe Foundation was formed in Belgium by Snorri Giorgetti. By early December, non-assertion agreements were collected by the major contributors to the protocol and the final OpenID Authentication 2.0 and OpenID Attribute Exchange 1.0 specifications were ratified on December 5.
In mid-January 2008, Yahoo! announced initial OpenID 2.0 support, both as a provider and as a relying party, releasing the provider service by the end of the month. In early February, Google, IBM, Microsoft, VeriSign and Yahoo! joined the OpenID Foundation as corporate board members. Around early May, SourceForge, Inc. introduced OpenID provider and relying party support to leading open source software development website SourceForge.net. In late July, popular social network service MySpace announced support for OpenID as a provider. In late October, Google launched support as an OpenID provider and Microsoft announced that Windows Live ID would support OpenID. In November, JanRain announced a free hosted service, RPX Basic, that allows websites to begin accepting OpenIDs for registration and login without having to install, integrate and configure the OpenID open source libraries.
In January 2009, PayPal joined the OpenID Foundation as a corporate member, followed shortly by Facebook in February. The OpenID Foundation formed an executive committee and appointed Don Thibeau as executive director. In March, MySpace launched their previously announced OpenID provider service, enabling all MySpace users to use their MySpace URL as an OpenID. In May, Facebook launched their relying party functionality, letting users use an automatic login-enabled OpenID account (e.g. Google) to log into Facebook.
OpenID vs. Pseudo-Authentication using OAuth
The following drawing highlights the differences between using OpenID vs. OAuth for authentication. Note that with OpenID, the process starts by the application asking the user for their identity (typically a openid URI), whereas in the case of OAuth, the application directly request a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.
- ^ a b c d Eldon, Eric (2009-04-14). "Single sign-on service OpenID getting more usage » VentureBeat". venturebeat.com. http://venturebeat.com/2009/04/14/single-sign-on-service-openid-getting-more-usage/. Retrieved 2009-04-25.
- ^ "OpenID Authentication 2.0 specification - Final". http://openid.net/specs/openid-authentication-2_0.html. Retrieved 2011-10-24.
- ^ "OpenID Attribute Exchange 1.0 - Final". http://openid.net/specs/openid-attribute-exchange-1_0.html. Retrieved 2011-10-24.
- ^ bashburn, bill (2008-04-22). "BBC Joins OpenID Foundation". http://openid.net/2008/04/22/british-broadcasting-corp-bbc-joins-openid-foundation/.
- ^ Riley, Duncan (2008-01-18). "Google Offers OpenID Logins Via Blogger". TechCrunch. http://www.techcrunch.com/2008/01/18/google-offers-openid-logins-via-blogger/. Retrieved 2008-03-20.
- ^ "How do I get an OpenID?". OpenID Foundation. http://openid.net/get/. Retrieved 2008-03-20.
- ^ "Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web". 008-02-07. http://www-03.ibm.com/press/us/en/pressrelease/23461.wss.
- ^ Bergman, Artur (2008-02-07). "OpenID Foundation - Google, IBM, Microsoft, VeriSign and Yahoo!". O'Reilly Media. http://radar.oreilly.com/archives/2008/02/openid-foundation-google-ibm-m.html. Retrieved 2008-03-19.
- ^ "OpenID Authentication 1.1#Delegation". http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication.
- ^ Paul Tarjan. "Easy OpenID Delegation with Yadis". http://blog.paulisageek.com/2009/06/easy-openid-delegation-with-yadis.html. Retrieved 2009-06-30.
- ^ Kissel, Brian (2009-12-16). "OpenID 2009 Year in Review". http://openid.net/2009/12/16/openid-2009-year-in-review/.
- ^ AOL Inc.. "OpenID Central". http://dev.aol.com/topic/openid. Retrieved 2011-05-31.
- ^ "Frequently Asked Questions". http://clickpass.com/docs/faq. Retrieved 2011-05-31.
- ^ Bylund, Anders (17 January 2008). "Yahoo! No More Password Profusion!". The Motley Fool. http://www.fool.com/investing/general/2008/01/17/yahoo-no-more-password-profusion.aspx. Retrieved 2008-02-14.
- ^ Google, Inc.. "Google OpenID API documentation page". http://code.google.com/apis/accounts/docs/OpenID.html. Retrieved 2009-04-25.
- ^ Archer, Mike (4 February 2010). "OpenID URL Formatting". Digital Engine Software. http://digitalenginesoftware.com/blog/archives/24-OpenID-Provider-URL-Formatting.html. Retrieved 2010-03-23.
- ^ Mathews, Lee (2009-08-29). "Tonido now lets you roll your own OpenID provider, also debuts Tonido Plug". Downloadsquad.com. http://www.downloadsquad.com/2009/08/29/tonido-now-lets-you-roll-your-own-openid-provider-also-debuts-t/. Retrieved 2011-09-19.
- ^ "OpenID". http://www.hyves-developers.nl/documentation/openid/specifications. Retrieved 2011-05-31.
- ^ "mixi OpenID". http://developer.mixi.co.jp/openid. Retrieved 2011-05-31.
- ^ "WikiTravel OpenID login page". http://wikitravel.org/en/Special:OpenIDLogin. Retrieved 2009-04-25.
- ^ "OpenID Requirements - Facebook Developer Wiki". http://wiki.developers.facebook.com/index.php/OpenID_Requirements. Retrieved 2010-04-28.
- ^ John Timmer, OpenID being Balkanized even as Google, Microsoft sign on.
- ^ a b OpenID Board of Directors (2007-06-01). "OpenID Foundation". OpenID Foundation. http://openid.net/foundation/. Retrieved 2008-03-20.
- ^ "Trademark Assignment, Serial #: 78899244". United States Patent and Trademark Office. 2008-05-06. http://assignments.uspto.gov/assignments/q?db=tm&sno=78899244. Retrieved 2008-05-19. "Exec Dt: 03/27/2008"
- ^ "Latest Status Info". United States Patent and Trademark Office. 2006-03-27. http://tarr.uspto.gov/servlet/tarr?regser=serial&entry=78899244. Retrieved 2008-03-20.
- ^ "NetMesh: Company / Management". NetMesh. http://netmesh.us/company/management/. Retrieved 2008-03-20.
- ^ "OpenID Europe Trademark & Logo Policy". OpenID Europe Foundation. http://www.openideurope.eu/policies/openid-trademark-policy/. Retrieved 2008-03-20.
- ^ Reddig, Randy (2005-06-29). "OpenID Logo". Danga Interactive. http://lists.danga.com/pipermail/yadis/2005-June/000990.html. Retrieved 2008-03-20.
- ^ Fitzpatrick, Brad. "Intellectual Property". http://openid.net/intellectual-property/.
- ^ a b "Sun OpenID: Non-Assertion Covenant". Sun Microsystems. http://www.sun.com/software/standards/persistent/openid/nac.xml. Retrieved 2008-03-20.
- ^ "VeriSign's OpenID Non-Assertion Patent Covenant". VeriSign. http://www.verisign.com/research/Consumer_Identity_and_Profile_Management/042160.html. Retrieved 2008-03-20.
- ^ Crowley, Paul (2005-06-01). "Phishing attacks on OpenID". Danga Interactive. http://lists.danga.com/pipermail/yadis/2005-June/000470.html. Retrieved 2008-03-20.
- ^ Anderson, Tim (2007-03-05). "OpenID still open to abuse". IT Week. http://www.itweek.co.uk/2184695. Retrieved 2007-03-13.
- ^ Slot, Marco. "Beginner's guide to OpenID phishing". http://openid.marcoslot.net/. Retrieved 2007-07-31.
- ^ "Verisign PIP FAQ". https://pip.verisignlabs.com/faq.do#faq5. Retrieved 2008-11-13.
- ^ Jones, Mike. "PAPE Approved as an OpenID Specification". OpenID Foundation. http://openid.net/2008/12/31/pape-approved-as-an-openid-specification/.
- ^ Stefan Brands (2007-08-22). "The problem(s) with OpenID". http://www.untrusted.ca/cache/openid.html. Retrieved 2010-12-12. (originally published on The Identity Corner at www.idcorner.org/?p=161)
- ^ Tsyrklevich, Eugene. "Single Sign-On for the Internet: A Security Story". Blackhat USA. https://www.blackhat.com/presentations/bh-usa-07/Tsyrklevich/Whitepaper/bh-usa-Fiddler2Setup.exe07-tsyrklevich-WP.pdf. Retrieved 2011-10-02.
- ^ Fitzpatrick, Brad (2005-05-16). "Distributed Identity: Yadis". LiveJournal. http://community.livejournal.com/lj_dev/683939.html. Retrieved 2008-03-20.
- ^ Waters, John K (2007-12-01). "OpenID Updates Identity Spec". Redmond Developer News. Archived from the original on 2008-02-08. http://web.archive.org/web/20080208155322/http://reddevnews.com/news/devnews/article.aspx?editorialsid=913. Retrieved 2008-03-20.
- ^ "Glossary". LiveJournal Server: Technical Info. http://www.livejournal.com/doc/server/appx.glossary.html. Retrieved 13 October 2009.
- ^ Lehn, David I. (18 May 2005). "18 May 2005". Advogato blog for dlehn. Advogato. http://www.advogato.org/person/dlehn/diary/5.html. Retrieved 13 October 2009. "They were looking for a name and managed to email me about openid.net right before I was going to offer it to them. So I gave it to them for the new and improved OpenID project."
- ^ "OpenID: an actually distributed identity system". 2005-09-24. Archived from the original on 2005-09-24. http://web.archive.org/web/20050924033518/http://www.danga.com/openid/. Retrieved 2008-03-20.
- ^ a b Fitzpatrick, Brad (2006-05-30). "brad's life - OpenID and SixApart". LiveJournal. http://brad.livejournal.com/2226738.html. Retrieved 2008-03-20.
- ^ Recordon, David (2005-12-24). "Announcing YADIS...again". Danga Interactive. http://lists.danga.com/pipermail/yadis/2005-October/001511.html. Retrieved 2008-03-20.
- ^ Reed, Dummond (2005-12-31). "Implementing YADIS with no new software". Danga Interactive. http://lists.danga.com/pipermail/yadis/2005-October/001544.html. Retrieved 2008-03-20.
- ^ Reed, Drummond (2008-11-30). "XRD Begins". Equals Drummond. http://www.equalsdrummond.name/?p=172. Retrieved 5 January 2009.
- ^ Hardt, Dick (2005-12-18). "Sxip concerns with YADIS". Danga Interactive. http://lists.danga.com/pipermail/yadis/2005-December/001873.html. Retrieved 2008-03-20.
- ^ Hardt, Dick (2005-12-10). "SXIP 2.0 Teaser". Identity 2.0. http://identity20.com/?p=44. Retrieved 2008-03-20.
- ^ Hoyt, Josh (2006-03-15). "OpenID + Simple Registration Information Exchange". Danga Interactive. http://lists.danga.com/pipermail/yadis/2006-March/002304.html. Retrieved 2008-03-20.
- ^ Grey, Victor (2006-04-02). "Proposal for an XRI (i-name) profile for OpenID". Danga Interactive. http://lists.danga.com/pipermail/yadis/2006-April/002388.html. Retrieved 2008-03-20.
- ^ Recordon, David (2006-04-29). "Movin' On....". LiveJournal. http://daveman692.livejournal.com/251286.html. Retrieved 2008-03-20.
- ^ Recordon, David (2006-06-16). "Moving OpenID Forward". Danga Interactive. http://lists.danga.com/pipermail/yadis/2006-June/002631.html. Retrieved 2008-05-19.
- ^ Johannes Ernst and David Recordon. Editor:Phil Becker (2006-12-04). "The case for OpenID". ZDNet. http://www.zdnet.com/blog/digitalid/the-case-for-openid/78. Retrieved 2010-12-12.
- ^ "Symantec Unveils Security 2.0 Identity Initiative at DEMO 07 Conference". Symantec. 2007-01-31. http://www.symantec.com/about/news/release/article.jsp?prid=20070131_01. Retrieved 2008-03-20.
- ^ Graves, Michael (2007-02-06). "VeriSign, Microsoft & Partners to Work together on OpenID + Cardspace". VeriSign. http://blogs.verisign.com/infrablog/2007/02/verisign_microsoft_partners_to_1.php. Retrieved 2008-03-20.
- ^ Panzer, John (2007-02-16). "AOL and 63 Million OpenIDs". AOL Developer Network. http://dev.aol.com/aol-and-63-million-openids. Retrieved 2008-03-20.
- ^ "Sun Microsystems Announces OpenID Program". PR Newswire. 2007-05-07. http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/05-07-2007/0004582105&EDATE=. Retrieved 2008-03-20.
- ^ OpenID Europe Foundation
- ^ "OpenID 2.0…Final(ly)!". OpenID Foundation. 2007-12-05. http://openid.net/2007/12/05/openid-2_0-final-ly/. Retrieved 2008-03-20.
- ^ "Yahoo! Announces Support for OpenID; Users Able to Access Multiple Internet Sites with Their Yahoo! ID". Yahoo!. 2008-01-17. Archived from the original on 2008-03-04. http://web.archive.org/web/20080304014817/http://biz.yahoo.com/bw/080117/20080117005332.html. Retrieved 2008-03-20.
- ^ "Technology Leaders Join OpenID Foundation to Promote Open Identity Management on the Web". OpenID Foundation (Marketwire). 2008-02-07. http://www.marketwire.com/mw/release.do?id=818650. Retrieved 2008-03-20.
- ^ "SourceForge Implements OpenID Technology" (Press release). SourceForge, Inc.. May 7, 2008. http://www.primenewswire.com/newsroom/news.html?d=142213. Retrieved 2008-05-21.
- ^ "MySpace Announces Support for ‘OpenID’ and Introduces New Data Availability Implementations". Business Wire. MySpace. 2008-07-22. p. 2. http://www.businesswire.com/news/home/20080722006024/en. Retrieved 2008-07-23.
- ^ "Microsoft and Google announce OpenID support". OpenID Foundation. 2008-10-30. http://openid.net/2008/10/30/microsoft-and-google-announce-openid-support/.
- ^ "JanRain Releases Free Version of Industry Leading OpenID Solution" (Press release). JanRain, Inc.. November 14, 2008. http://www.janrain.com/press/2008/rpxnow. Retrieved 2008-11-14.
- ^ "Facebook Developers | Facebook Developers News". Developers.facebook.com. 2009-05-18. http://developers.facebook.com/news.php?blog=1&story=246. Retrieved 2009-07-28.
- ^ "Facebook now accepts Google account logins". Pocket-lint.com. 2009-05-19. http://www.pocket-lint.com/news/news.phtml/24185/facebook-accepting-google-login-openid.phtml. Retrieved 2009-07-28.
- ^ "OpenID Requirements - Facebook Developer Wiki". Wiki.developers.facebook.com. 2009-06-26. http://wiki.developers.facebook.com/index.php/OpenID_Requirements. Retrieved 2009-07-28.
- With OpenID 1.0, the relying party then requests the HTML resource identified by the URL and reads an HTML link tag to discover the OpenID provider's URL (e.g.
Wikimedia Foundation. 2010.