Group items tagged

粗略估计了一下，我日常使用的网络服务中就需要我提供35个用户名和密码，这还不算那些抢注的信箱和测试新网站所做的注册，这样算下来恐怕要有几百个了。我是一个严谨的人，网络多凶险，人人需自保，所以在我常用的网络服务中使用了五个不同的用户名和7套密码——记忆学家说同类事物中人能清楚记得的上限是7个。至于我的密码们，全部包含大小写字母、阿拉伯数字以及各式符号，位数则达到16位——以现有普通计算机的运算能力，16位差不多是个上限。也就是说我不怕有人用暴力破解的方式去搞我的帐号。

我想遇到我这样问题的人会很多，所以这时候才会有开源组织出来搞一个叫Openid计划。Openid的意思，直接说就是公开的身份，它的用途就是为每个人创立一个全球唯一的用户名和密码。这个储存着海量用户名和密码的数据库提供接口给全球各类网站，只要他们愿意，这个数据库便可以成为他们的用户认证系统。用户登录其站点时，只要输入Openid的用户名，页面便会转入提供Openid服务的站点，再输入用户名便会重新回到你访问的站点，完成认证。

Openid不仅可以减轻使用网络的负担，还会形成一个潜在的重要影响，那就是个人在互联网上留下的网络痕迹更加容易追踪，比如仅使用Google搜索你的Openid就可以发现你在Blog、BBS以及豆瓣小组中留下的各种痕迹，个人隐私会受到强烈的挤压。

OAuth and OpenID OAuth is not an OpenID extension and at the specification level, shares only few things with OpenID – some common authors and the fact both are open specification in the realm of authentication and access control. ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an API without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.

Is OAuth a New Concept? No. OAuth is the standardization and combined wisdom of many well established industry protocols. It is similar to other protocols currently in use (Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API, etc). Each protocol provides a proprietary method for exchanging user credentials for an access token or ticker. OAuth was created by carefully studying each of these protocols and extracting the best practices and commonality that will allow new implementations as well as a smooth transition for existing services to support OAuth. An area where OAuth is more evolved than some of the other protocols and services is its direct handling of non-website services. OAuth has built in support for desktop applications, mobile devices, set-top boxes, and of course websites. Many of the protocols today use a shared secret hardcoded into your software to communicate, something which pose an issue when the service trying to access your private data is open source.