OpenID represents (at least to the OSS world) the unified login structure that has been the proprietary advantage of Microsoft for so long. This will be an excellent technology for business to use internally (who control their own servers and services). It allows the capabilities of Single Sign On (SSO)to find a wider audience.
I did use OpenID for a few services . . . it was nice, but I began to worry about outages on the OpenID server. If that server goes down, I may not be able to log on to anything. But in response to the previous statement: In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. In part I do agree. SSO can be dangerous, but it can also benefit the end user. As an example: I have 15 websites that I use; banking, gmail, forums, etc. Many people ALREADY have ONE or TWO password and user name combinations for all of these websites. If there is a compromise in the database of a forum that I use, the recipients of this data now have my bank account login as well as many other valid logins. >From my understanding this scenario would not be possible with OpenID, all of the password hashes on stored on the OpenID servers, not in separate databases on each website that I access. But now because of the lack of a unified auditing (OpenID keeps track of the authentication attempts) and my inability to change passwords on all of the sites that I access at the same time, I have to go to every web site that I access and change my user name and password. As far as the general public is concerned . . . I would recommend it in limited use cases until the technology becomes more distributed and mature. The reliance of "One Login to Rule Them All" can be very dangerous. Ideally the best way to go about this would be to create a replication system (like DNS or USENET) where an update on one server is then made available to all servers connected to the OpenID network (that network, being worldwide, and moving transparently across political and business borders). But then OpenID, can become a means to control access to services. Imagine worst case scenarios ; Rouge OpenID servers, Governments denying access to seditious users, Identity theft on a grand scale, etc. That being said; these scenarios (and many more) will keep Full Disclosure and Computer Security Experts in business for a long long time. As computers move away from a standalone platform and towards an always networked application interface, we will need this OpenID model. But it needs a lot of work, and a lot of field testing. --Joseph Kern On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick > > <[EMAIL PROTECTED]> wrote: > > > Hello list, > > > > I'm curious what the group thinks about the recent > > surge in support for OpenID across the web and the > > impact it will have. > > > > 1) Beemba - http://www.beemba.com > > 2) ClaimID - http://www.claimid.com > > 3) MyOpenID - http://www.myopenid.com > > 4) Many others... > > > > These sites are gaining in popularity quickly and with > > the announcements of support from big players Yahoo, > > AOL, Microsoft and Google, combined with smaller > > web2.0 celeb-run sites like Digg, OpenID appears to > > what will eventually be the norm. > > > > Thoughts? > > > > In general, I am opposed to anything that encourages people to use the same > id and password across multiple domains. The potential for complete > compromise of everything you have/own/are is too great. > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/