On Mon, Jun 2, 2008 at 9:27 AM, Davi Leal <
address@hidden> wrote:
> Proposed roadmap:
>
> 1. Follow adding improvements.
>
> 2. Finish the development of the volunteers and pledges feature.
...
> 5. Analyze the OpenID idea.
> It was task: http://savannah.nongnu.org/task/?6782
I propose the project do not use any OpenID shared identity services. If
nobody disagree we should close such task adding a reference to the below
rationale:
I disagree, this point must be discussed, because it's not true that OpenID is not secure at all and it's not true that OpenID it's safe at all.
Surelly OpenID must be implemented in the right way.
I want to point your attention to one problem, imagine the Gnuherds login system will be compromised, how much time it'll take to discover it? How much time will take to the community to discover that the google openID is compromised? Few minutes maybe.
Gnuherds can always choose a limited numebr of OpenID providers, as soon as we will discover one of these providers has been exploited, we can remove it from the list.
I think we should discuss better this point.
Rationale:
* If GNU Herds add OpenID support, any security problem at the OpenID
servers will be a very serious security problem for GNU Herds.
* What OpenID servers GNU Herds would support? The more OpenID
servers GNU Herds support the more security risk paths for the
GNU Herds project.
Note the OpenID use delegates the authentication process which is
a central security piece.
IMHO the above rationale is enough to reject the OpenID use. Additionally:
* Note maybe the GNU Heds project will make bank transactions. So
the above problems are even more critic.
It could be other problems not analyzed here.
--
As usual we could be wrong. Please let this mailing list know about any
mistake in the above rationale.