Re: [MLUG] OpenID

[ryan woodsmall <EMAIL:PROTECTED>]

> Do you have any good resources?  I found this and it makes good  
> sense to me:


Linked From the OpenID Wikipedia page:

  http://marcoslot.net/apps/openid/
  http://www.itweek.co.uk/itweek/comment/2184695/openid-open-abuse

There are a lot more, as a Google search for "OpenID" and "security"  
or "insecurity," etc., will show you.  Some of it is FUD, but there  
are demos of man-in-the-middle takeovers.  It's simply too easy to  
subvert OpenID without some form of known/trusted/certified authority  
arbitrating who gets what.

Two-factor authentication, "only send  (this/all) info to known/ 
trusted sites" and the like would mitigate a lot of the issues.   
OpenID doesn't really provide that right now.

> That's key -- I want studies.  I want confidence.  These guys are  
> supposed to be pros, but their recommendation was a sort of "trust  
> me on this one." I'm glad I'm skeptical!

Stay skeptical.  If you don't have all the keys to your own home, you  
never know who might come in.  Even if someone just peaks in, your  
security is still compromised.  Now imagine you have 100 houses, and  
they all use the same key.  One slip and you're screwed.

To mix metaphors, I don't mind having all my eggs in one basket as  
long as the basket is actually MINE and no external entity is showing  
it to just anyone who asks to pick and choose as they see fit...   
CardSpace's "wallet" of ID cards is a step in the right direction; you  
can designate what sites can get which information.  I think the  
OpenID folks are leaning in this direction, but you should never trust  
anyone who says "trust me" without an explanation.

  ryan woodsmall
    EMAIL:PROTECTED


"Be well, do good work, and keep in touch." - Garrison Keillor

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members