On Thu, Jun 21, 2012 at 09:46:54AM +0200, Bjoern Michaelsen wrote: > On Thu, Jun 21, 2012 at 07:09:15AM +0200, Lionel Elie Mamane wrote:
>> But frankly, why should Google, AOL, Wordpress or another person be >> able to impersonate me at the TDF systems? > If you created an account at one of those, you are trusting > them. The trust issue is with account creation, not with usage. Once > you have a google account it is automatically OpenID enabled. Even > if you never used it yourself, google is perfectly able to > impersonate you. No, if I create a gerrit account with a non-Google OpenID identity, get it added to the right "privileged groups" (committer, can review, can submit patches with different author, ...) and I have an OpenID-enabled Google account, then Google is able to create a *new* account at Gerrit with my Google identity with *no* more privileges than we give any random person. It is *not* able (modulo security issues in Gerrit or my other OpenID provider) to access my Gerrit account, as long as I (or my OpenID provider or anybody cracking them) don't go into my Gerrit account and link my Google-issued OpenID identity to my Gerrit account. > The same is true for an email/password-login and any external mail > provider. No, my email being hosted at gmail does not mean Google knows, or can know, my username/password at wiki.documentfoundation.org; yes, they can request a new password to be mailed and intercept it, but then I'll notice something is wrong: I cannot login at the wiki anymore! (For the specific case of google, they could put a spy feature in Chrome, OK... like the author of about any software I use.) -- Lionel _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice