Sylvain Beucler wrote:
> Davi wrote:
> > Karl Goetz wrote:
> > > OpenID consumer support?
> >
> > No, please! It is weak in security. I would like do not have to repeat
> > here the discussion with dachary at IRC about the security weakness of
> > the OpenID standard.
> >
> > Please, do not build infrastructures on weak bases!
> - when things are moving off-topic, please change the subject
I was not talking about single sign-on, because in the proposed solution users
have to authenticate in each webapp, even if they are already authenticated
in another one.
The proposed integration solution was just to enable a user Savannah user the
GNU Herds webapp without registering. The can just login directly using the
same Savannah authentication data and the GNU Herds webapp will autoregister
them.
Definition: "Single sign-on (SSO) is a property of access control
of multiple, related, but independent software systems.
With this property a user logs in once and gains access
to all systems without being prompted to log in again
at each of them."
Ref.: http://en.wikipedia.org/wiki/Single_sign-on
> - back up your claims
>
> Last time I discussed OpenID I understood it was an evolving
> technology, so facts from 1 or 2 years ago probably don't apply
> anymore, and was otherwise secure. AFAIU the main weakness would be a
> use of shared-key cryptography on the first sp<->idp connection - are
> you refering to that?.
Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please read
references too. You ask for information, so read and understand all them.
That is because a private and encrypted communication channel (VPN) is the
best to avoid this issues.
With the VPN you avoid man-in-the-middle attacks. There are lot of attacks
paths being the basic one based on the DNS service weakness. I hope do not
have to explain all the security involved knowled because it is a lot to
write.
Do you know any bank which offer OpenID as authentication mechanism? Realize a
good analysis please.
--
I could be mistaken, as usual. Please let me know.
