[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-users] OpenID security? Is it a joke?
From: |
Davi Leal |
Subject: |
Re: [Savannah-users] OpenID security? Is it a joke? |
Date: |
Sat, 1 Aug 2009 00:44:14 +0100 |
User-agent: |
KMail/1.9.9 |
Sylvain Beucler wrote:
> Davi wrote:
> > Karl Goetz wrote:
> > > OpenID consumer support?
> >
> > No, please! It is weak in security. I would like do not have to repeat
> > here the discussion with dachary at IRC about the security weakness of
> > the OpenID standard.
> >
> > Please, do not build infrastructures on weak bases!
> - when things are moving off-topic, please change the subject
I was not talking about single sign-on, because in the proposed solution users
have to authenticate in each webapp, even if they are already authenticated
in another one.
The proposed integration solution was just to enable a user Savannah user the
GNU Herds webapp without registering. The can just login directly using the
same Savannah authentication data and the GNU Herds webapp will autoregister
them.
Definition: "Single sign-on (SSO) is a property of access control
of multiple, related, but independent software systems.
With this property a user logs in once and gains access
to all systems without being prompted to log in again
at each of them."
Ref.: http://en.wikipedia.org/wiki/Single_sign-on
> - back up your claims
>
> Last time I discussed OpenID I understood it was an evolving
> technology, so facts from 1 or 2 years ago probably don't apply
> anymore, and was otherwise secure. AFAIU the main weakness would be a
> use of shared-key cryptography on the first sp<->idp connection - are
> you refering to that?.
Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please read
references too. You ask for information, so read and understand all them.
That is because a private and encrypted communication channel (VPN) is the
best to avoid this issues.
With the VPN you avoid man-in-the-middle attacks. There are lot of attacks
paths being the basic one based on the DNS service weakness. I hope do not
have to explain all the security involved knowled because it is a lot to
write.
Do you know any bank which offer OpenID as authentication mechanism? Realize a
good analysis please.
--
I could be mistaken, as usual. Please let me know.
- Re: [Savannah-users] Removing old user accounts with no past activity, (continued)
- Re: [Savannah-users] Removing inactive user accounts, list, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Sylvain Beucler, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Nicodemo Alvaro, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Sylvain Beucler, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Nicodemo Alvaro, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Karl Goetz, 2009/07/30
- Re: [Savannah-users] Removing old user accounts with no past activity, Davi Diaz, 2009/07/31
- Re: [Savannah-users] single sign-on, Sylvain Beucler, 2009/07/31
- Re: [Savannah-users] OpenID security? Is it a joke?,
Davi Leal <=
- Re: [Savannah-users] Removing old user accounts with no past activity, Karl Goetz, 2009/07/31
- Re: [Savannah-users] Removing old user accounts with no past activity, Sylvain Beucler, 2009/07/31
- Re: [Savannah-users] Removing old user accounts with no past activity, Ray Wang, 2009/07/31
- Re: [Savannah-users] Removing old user accounts with no past activity, Sylvain Beucler, 2009/07/31
- Re: [Savannah-users] Removing old user accounts with no past activity, Karl Goetz, 2009/07/31
- [Savannah-users] Re: Removing old user accounts with no past activity, Miles Bader, 2009/07/31
- Re: [Savannah-users] Removing old user accounts with no past activity, Davi Leal, 2009/07/31
Re: [Savannah-users] Removing inactive user accounts, Karl Goetz, 2009/07/30
Re: [Savannah-users] Removing inactive user accounts, Jonathan Gonzalez V., 2009/07/30