Peter Palfrader wrote:
> As openid provides no security whatsoever there's probably not a big
> chance of us (as in DSA) hopping onto the openid hype any time soon.
>   

openid could be secure - e.g. by enforcing https everywhere, always 
checking the remote certificate properly, never using passwords for 
authentication, etc.

Unfortunately, none of these apply to the implementations I have seen 
(although my openid provider does at least allow for x509 certificate 
authentication instead of password passed authentication).

There was a good article at 
<http://idcorner.org/2007/08/22/the-problems-with-openid/>, 
unfortunately the domain appears to be off-line now, and the archive at
<http://web.archive.org/web/20080208023407/http://idcorner.org/2007/08/22/the-problems-with-openid/>
 
is difficult to read due to bad formatting.

-- 
Brian May <[email protected]>


_______________________________________________
Debtags-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/debtags-devel

Reply via email to