--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer <[EMAIL PROTECTED]> wrote:
> It's worth pointing out that some OpenID providers are better than > others. An OpenID provider could implement 2-factor authentication, and > some have > (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H > ardware/), or other features which could strengthen it. > Yes, but you're still placing your trust, for all the most important information about yourself, in the hands of a third party. That third parties reputation relies on being able to deny a breach of their systems, so their primary motivation would not be to help you solve your problem but to deny that it was caused by them. Insisting, for example, that you used the system incorrectly is a favored tactic of providers who offer similar decoupled authentication schemes. Given the choice between placing that trust in *one* provider, potentially exposing everything about myself, I think a system that relies on *me* to release my information voluntarily when I choose makes more sense from a security perspective. IOW, it is the owner of the data that should retain absolute control over that data. (And no, credit card companies don't own my data. Nor do merchants. I do. They have a responsibility to handle my data with the utmost care, and if they fail in their duty to protect, I have the ability to refuse to any longer do business with them. I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/