Re: OpenID -- look beyond rivals' marketing materials

gnuherds-app-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenID -- look beyond rivals' marketing materials

From:	MJ Ray
Subject:	Re: OpenID -- look beyond rivals' marketing materials
Date:	Wed, 04 Jun 2008 08:23:00 +0100

Davi Leal <address@hidden> wrote:
> MJ Ray wrote:
> > [...] However, my belief is that OpenID gives
> > more intrusion detection opportunities than GNU Herds Cookies.
>
> Read the full [1] article.
>   [1] http://idcorner.org/2007/08/22/the-problems-with-openid/

I've read all that, but I wonder how it's an argument against GNU Herds
using OpenID.  See this bit right at the top, in the introduction:-

"Its primary goal is to enable Internet surfers to replace
self-generated usernames and passwords by a single login credential,
[...] Beyond this, OpenID is pretty much useless."

But is GNU Herds going beyond that?  I didn't think so.  So even that
article suggests OpenID would be fine as an alternative to the
self-generated usernames and passwords used by GNU Herds Cookies,
right from the top.

>   SECURITY PROBLEMS

One can phish and XSS-attack clueless users, which is no worse than
most other websites with logins.  In the GNU Herds case, OpenID seems
actually to make it slightly harder to phish because an attacker needs
to intercept and proxy each OpenID provider site in a convincing way,
instead of only 1 GNU Herds Cookies site.

GNU Herds Cookies seem to have a similar risk of these problems.

>   PRIVACY PROBLEMS

Yes, OpenID provider can track their users.  This should not surprise
any OpenID user.  As I mentioned before, this can be used for good as
well as evil.  It can help users to detect intrusions too: an attacker
needs to conceal login records on both the OpenID provider and
consumer if they want to avoid discovery.

GNU Herds Cookies also have privacy problems for users.

>   TRUST PROBLEMS

Trust really is a different problem.  This is why I proposed building
white and black lists and holding unknowns for approval.  In god we
trust - all others must bring data.

GNU Herds Cookies don't have these problems for GNU Herds itself, but
have them for GNU Herds users just the same.

>   USABILITY PROBLEMS
>   ADOPTION PROBLEMS

If OpenID is optional, these aren't more or less of a problem.

By refusing to allow OpenID based on such dubious articles, GNU Herds
would actually be helping to perpetuate these.

>   IMPERSONATION PROBLEMS

That section seems like another spin on "PRIVACY PROBLEMS" and doesn't
merit a seperate reply.

>   AVAILABILITY PROBLEMS

This section ignores the obvious solution: if your OpenID provider
goes away, you switch your OpenID delegation to another provider. It's
as easy as editing an web page. (This would need to be handled by the
white and black lists.) No-one should use their OpenID provider URL
directly.

GNU Herds Cookies seem to have a similar risk of these problems.

>   PATENT PROBLEMS

Software patents are absurd.  I'm disappointed that software patent
claims are given as a reason for GNU Herds not to support a
distributed system.

GNU Herds Cookies seem to have a similar risk of these problems.

Now, look at who wrote it - the author is quite open about being a
member of "Microsoft’s Identity and Access Group" and author of
proprietary software which "Microsoft has acquired [...] together with
all of the underlying patents."
http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/

Interested readers can go analysing the contributors further, but I'll
leave it here: that isn't an independent review in my opinion.  I'm
sure I could dig up lots of biased pro-OpenID articles, but I'd prefer
to discuss it more productively than citing subheadings from marketing
materials at each other.

[...]
> OpenID is a nighmare. Read the full [1] article.

No, requiring use of a centralised authentication service is a
nightmare...  This reminds me of past GNU claims that we should
"avoid the use of centralized authentication/authorization portals"
which others may enjoy re-reading in this context.
http://www.gnu.org/projects/dotgnu/danger.html

The problems in the second reference to that are the real problems
with any similar authentication system, which need to be addressed by
GNU Herds no matter what.  Adopting OpenID seems a good way to reduce
the problems of the central point of attack and doesn't make the other
problems worse.
http://avirubin.com/passport.html

Please reconsider OpenID support.
-- 
MJ Ray (slef)
Webmaster for hire, statistician and online shop builder for a small
worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/
(Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237

[Prev in Thread]

Current Thread

[Next in Thread]

Re: OpenID, Antenore Gatta, 2008/06/02
- Re: OpenID, MJ Ray, 2008/06/02
  - Re: OpenID -- do not delegate the authentication process, Davi Leal, 2008/06/02
    - Re: OpenID -- do not delegate the authentication process, MJ Ray, 2008/06/03
    - Re: OpenID -- no no, Davi Leal, 2008/06/03
    - Re: OpenID -- look beyond rivals' marketing materials, MJ Ray <=
    - Re: --- I am overloaded, delaying other tasks ---, Davi Leal, 2008/06/04
    - Re: --- I am overloaded, delaying other tasks ---, Antenore Gatta, 2008/06/05
- Re: OpenID -- do not delegate the authentication process, Davi Leal, 2008/06/02

Prev by Date: Re: gnuherds development
Next by Date: Re: --- I am overloaded, delaying other tasks ---
Previous by thread: Re: OpenID -- no no
Next by thread: Re: --- I am overloaded, delaying other tasks ---
Index(es):
- Date
- Thread