Seems that the openid feature is removed now in Fx 4? I cannot login to my stackoverflow account any more.

I’ve been using Weave for a few months now, but just today I noticed that I’ve lost the ability to specify an OpenID provider when logging into openID Services (via RPX). All I see is a “sign in” button, which seems to be pulling the wrong openID provider.

Is there any way to change this?

By the way, I really like the firefox theme in this vedio, could you please give me a weblink or tell me the name? i am looking for it all the day….Thanks a lot.

I can’t register Weave account.
I got through step 3. It asked to input words I can see in the image, but there’s no image.

There is a way to use simple ssl certificates to get single sing on to work in existing browsers using the foaf+ssl ‘protocol’. See iPhone demo for example at

http://blogs.sun.com/bblfish/entry/one_click_global_sign_on

The advantage of that system is that it brings your social network with you. Perhaps this could be linked into weave too?

For more on foaf+ssl see the specification:
http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to

There are a lot of examples on the foaf+ssl wiki, though we need to make them easier to understand.

Here’s something I don’t get: browsers, including firefox, already have an incredibly strong identity/authentication system built-in. They’ve had it for years. SSL certificates are a widely used, universally recognized standard in all kinds of situations where security is a major concern.

Couldn’t we have some effort to simply make these things easier to work with in the browser ui? Like auto-generating a new keypair and self-signed certificate in the case where you guys are talking about auto-generating a strong password? Either of these is an impossible-to-remember chunk of data, so you might as well make it good.

If browser makers, security experts, and the creators of some major websites could cooperate on this, I would think we could put together an awesome system where a user simply signs into the browser, and then has controls somewhere in the chrome for logging in and out of whatever site they’re on and controling what information they provide to that site.

Hey Dan
Nice feature. I relly hope to see the weave integrated in coming FF release.

just wondering what theme you are using in the demo? The theme and customization looks great. Can you pls let me know the name of the theme you are using?

@Daniel E:
In response to your post.

1. Isn’t it already strong!?

2. An integrated random password generator should be a must have in Firefox!

3. This would be excellent. As far as I know OpenID provides an easy way for 3rd party sites to access identity information.

4. Storing Notes (even encrypted) would also be a very nice and useful addition to Firefox.
So I would be able to store & show notes of pages I am visiting.

well, this is all fine and good but I find that very often my browser is used by people other than myself, significant others, friends, and so on sometimes want to sit down at the computer and use it for a bit… it seems like any feature that auto-logs in would be an invitation for privacy issues, this in effect makes the browser like an OS… it would almost require a browser “guest mode” …

just a few thoughts not really sure how to solve this issue

Really like the idea. Quick feedback: the Location Bar button should only appear if the page supports sign-in. And there should be an option to turn it off. (Am I the only one who finds that additional buttons become accidental clicking points when subscribing to RSS or bookmarking?)

Also, saving your passwords is only as good as your Firefox saved passwords, so you should probably set a Master Password to hide your Weave password and encryption passphrase. And if Firefox/Weave could consolidate all of the UI that’d be awesome. Three layers of passwords becomes unmanageable.

I’ve been using an extension called Sxipper for a while now to provide similar functionality. They had talked a while back about getting tighter integration with Weave to store their identity data, but adding this feature would make weave more of a competing service than a facilitating one.

The major features that I have always looked for in a password manager are:
1. Strong encryption with a master password
2. Option to randomly generate and save a password for each site.
3. Identity management – Ability to optionally fill in registration information such as name, address, and when purchasing something, credit card info. Obviously, feature #1 is an absolute requirement for me to use this.
4. Easy backup and synchronization – I have hundreds of logins saved for all the different services I have found cause to register with over the years. I also use encrypted notes to store other information such as passwords to remote servers, and important personal information such as policy numbers.

Installing the Weave Dev version on 3.5b4 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 (.NET CLR 3.5.30729)) causes an unresponsive script on browser start – can’t remember the exact file name, but it was something to do with NS and flush or something.

Had to stick fx into safe-mode and uninstall the extension.

If you want more details/for me to replicate and get exact filename let me know.

@Chris Quackenbush: passwords are not stored in cleartext on the server, they are encrypted using AES2 encryption. we did this on purpose as we believe that no one besides you, the user, should have access to your personal data (including logins, bookmarks, browsing history, etc.) unless you explicitly delegate access, and even then, it should be secure & revocable. totally understandable that this isn’t clear though given the industry norm today is to give service providers full access to all of your data.

This is absolutely great. One BIG required feature is a *Logout* button along with and integrated for Basic/Digest HTTP authentication.

One of the big reasons sites stopped doing web authentication the right way, was that the integrated browser UI for logout was non-existent.

Please don’t make that mistake the second time around.

I’m sorry guys, but I have to strongly disagree with your entire approach here. Storing passwords in cleartext on the server is super dangerous. If this makes it into a release version of Firefox people will definitely use it for not only forums and bug trackers, but for banking and email passwords.
Right now, FF stores passwords on my hard drive, so I can control the security of identity by controlling the physical security of my computer. I trust Mozilla, but what will happen if you make a mistake and a bunch of people have their identities stolen? This type of thing happens all the time. Maybe you guys have thought of this and are doing something clever to not store passwords in the clear, but this blog post didn’t seem concerned with security at all.

Dan – great work, it looks like Weave is doing great.

Just one comment on the UI – I think the icon on the right of the URL bar makes a lot of sense, but it might be worth reducing it to a simple icon with only two states (much like the favourites icon). I see there are different colours right now, presumably for different login types – my opinion is that majority users don’t mind what their login type is, just whether they log in or not. Also, when you log out, the icon doesn’t go back to grey – I think it’d be great to be able to use it as a persistent UI element that tells you simply whether you’re logged in or not on the website you’re viewing right now.

On another note, I like having this function both on the webpage itself AND in Chrome. Great for fullscreeners, those with different habits, and it doesn’t require folk to learn a new interaction. Great stuff!

Wow, thanks to everyone on the weave team for sprinting through this and getting workable version out there to try out… And thanks for posting the video for those of us who do not have access to a weave server.

I really believe the next generation of the web is going to depend much more heavily on the user agent, especially when it comes to authentication management. There is an interesting article on Read Write Web that brings this up several times ( http://www.readwriteweb.com/archives/firefox_could_be_the_real_facebook_challenger.php ).

I wholeheartedly agree with this idea, but I think open ID is a weak implementation. The redirect required by open ID in combination with the more complex login is exposing too much of the raw underbelly of authentication to most users. To most of my test users, open ID seems harder to use… not easier. For this idea to jump into the mainstream, our community is going to need a better standard… Perhaps one based in the browser like the weave team demonstrated here?

I’d like to see in Weave the ability for secure generating of passwords based on a master password hashed with the site domains included, see https://bugzilla.mozilla.org/show_bug.cgi?id=356855 or
https://bugzilla.mozilla.org/show_bug.cgi?id=363372

Far too many people when faced with a “sign up” form on new sites repeatedly use the same guessable passwords in the absence of this simple mechanism.

This is just super-cool and something that *everyone* has been waiting for unknowingly. I don’t know why it hasn’t already been done!

I’ve tried the latest Weave(0.3.2) a bit. Logging-in automatically is really a great feature. I’m excited about it. But it does not work well with Open ID.

It seems like Weave sends Open ID to a server all as small letters. But for example, the first letter of my Weave account is a capital letter. This difference is the cause IMO.

I’d be glad if you fix it ASAP.