[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenID -- do not delegate the authentication process
From: |
Davi Leal |
Subject: |
Re: OpenID -- do not delegate the authentication process |
Date: |
Mon, 2 Jun 2008 22:39:47 +0200 |
User-agent: |
KMail/1.9.7 |
Antenore Gatta wrote:
> > I propose the project do not use any OpenID shared identity services. If
> > nobody disagree we should close such task adding a reference to the below
> > rationale:
>
> I disagree, this point must be discussed, because it's not true that OpenID
> is not secure at all and it's not true that OpenID it's safe at all.
IMHO, if OpenID is not safe at all this project should not use it.
What is wrong with the current authentication system? If it is needed we
could add an OpenID identity service at GNU Herds; so we could take care of
its security.
> Surelly OpenID must be implemented in the right way.
Of course, anything we do should be done in the right way.
> I want to point your attention to one problem, imagine the Gnuherds login
> system will be compromised, how much time it'll take to discover it? How
> much time will take to the community to discover that the google openID is
> compromised? Few minutes maybe.
You are right about that. However, IMHO, if the users keep money under the
GNU Herds control, few minutes could be too late. We have to be able to take
care of the whole system, without delegating the authentication part, to be
sure the system will be never compromised.
What about if BlueOrganization OpenID provider decide 'sell' the needed
data... to get into GNU Herds and get the users money. IMHO we should not
open the door towards the GNU Herds users money.
> Gnuherds can always choose a limited numebr of OpenID providers, as soon as
> we will discover one of these providers has been exploited, we can remove
> it from the list.
If the GNU Herds project keeps money we should not use any _external_ OpenID
provider. The damage, in form of "all money lost", could be already done
before we note it.
Who control the authentication systems control the money kept at GNU Herds.
> I think we should discuss better this point.
I agree.
We must follow discussing about this to be ready when we begin to work on the
(phase 2) to add 'bank' support.
The (phase 1) will work without bank.
> > Rationale:
> >
> > * If GNU Herds add OpenID support, any security problem at the OpenID
> > servers will be a very serious security problem for GNU Herds.
> >
> > * What OpenID servers GNU Herds would support? The more OpenID
> > servers GNU Herds support the more security risk paths for the
> > GNU Herds project.
> >
> > Note the OpenID use delegates the authentication process which is
> > a central security piece.
> >
> >
> > IMHO the above rationale is enough to reject the OpenID use.
> > Additionally:
> >
> > * Note maybe the GNU Heds project will make bank transactions. So
> > the above problems are even more critic.
> >
> >
> > It could be other problems not analyzed here.
- Re: OpenID, Antenore Gatta, 2008/06/02
- Re: OpenID, MJ Ray, 2008/06/02
- Re: OpenID -- do not delegate the authentication process, Davi Leal, 2008/06/02
- Re: OpenID -- do not delegate the authentication process, MJ Ray, 2008/06/03
- Re: OpenID -- no no, Davi Leal, 2008/06/03
- Re: OpenID -- look beyond rivals' marketing materials, MJ Ray, 2008/06/04
- Re: --- I am overloaded, delaying other tasks ---, Davi Leal, 2008/06/04
- Re: --- I am overloaded, delaying other tasks ---, Antenore Gatta, 2008/06/05
Re: OpenID -- do not delegate the authentication process,
Davi Leal <=