Re: OpenID
Works with plaxo.com. Links directly to your profile there, unlike livejournal.com. -- Jason Mike McGrath wrote: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: username.id.fedoraproject.org as your openID provider. For example, my openID url is mmcgrath.id.fedoraproject.org -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On 2008-05-29 09:16:09 AM, Nicu Buculei wrote: It *almost* worked for me, until an 500 Internal error in https://admin.fedoraproject.org/accounts/openid/allow Ah, good find. I just tried to fix a bug in that, can you try again with the same OpenID consumer and see if it works? Thanks, Ricky pgpaBwu4lHbvm.pgp Description: PGP signature ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu May 29 2008, Mike McGrath wrote: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: The login to livejournal worked for me, too. But after I have seen how it works, I think it is too insecure to use the FAS password for authentication. This makes it pretty easy for any openid user to get the FAS password, because instead of really forwarding someone to the FAS homepage, one could just present the FAS login form to get the password. Here is an interesting blog article about security considerations wrt. openid: http://idcorner.org/2007/08/22/the-problems-with-openid/ Regards, Till signature.asc Description: This is a digitally signed message part. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
2008/5/29 Mike McGrath [EMAIL PROTECTED]: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: username.id.fedoraproject.org as your openID provider. Works perfectly, great work all :) Jon ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
2008/5/29 Till Maas [EMAIL PROTECTED]: On Thu May 29 2008, Mike McGrath wrote: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: The login to livejournal worked for me, too. But after I have seen how it works, I think it is too insecure to use the FAS password for authentication. This makes it pretty easy for any openid user to get the FAS password, because instead of really forwarding someone to the FAS homepage, one could just present the FAS login form to get the password. Here is an interesting blog article about security considerations wrt. openid: http://idcorner.org/2007/08/22/the-problems-with-openid/ While I don't have any specific replies to the issues that Stefan Brand points out in that article (I'm too new at the OpenID game), it should be noted that Stefan is the owner of a company that is developing a competing patented[1] technology that recently sold out to Microsoft[2]. However, David Recordon does have a rebuttal of Stefan's points[3]. [1] http://www.credentica.com/patent_portfolio.html [2] http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/ [3] http://daveman692.livejournal.com/310578.html Jeff ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote: On Thu May 29 2008, Mike McGrath wrote: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: The login to livejournal worked for me, too. But after I have seen how it works, I think it is too insecure to use the FAS password for authentication. This makes it pretty easy for any openid user to get the FAS password, because instead of really forwarding someone to the FAS homepage, one could just present the FAS login form to get the password. Here is an interesting blog article about security considerations wrt. openid: http://idcorner.org/2007/08/22/the-problems-with-openid/ A possible solution to the phishing issue might be to only allow ssl client auth and not a login/password for a.fp.org/accounts/openid/login this doesn't stop the phishing site asking for a password but the difference might be enough for the user to notice that something is wrong. I am not sure that I see any value in OpenID in any case, there are very few OpenID consumers that I know about. Kostas ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu, May 29, 2008 at 8:03 AM, Kostas Georgiou [EMAIL PROTECTED] wrote: A possible solution to the phishing issue might be to only allow ssl client auth and not a login/password for a.fp.org/accounts/openid/login this doesn't stop the phishing site asking for a password but the difference might be enough for the user to notice that something is wrong. The phishing problem isn't unique to OpenID. I am not sure that I see any value in OpenID in any case, there are very few OpenID consumers that I know about. While OpenID is definitely an emerging technology, there are a lot of places where OpenID can be used to authenticate. Here are a couple of sites that have directories of OpenID-enabled sites: https://www.myopenid.com/directory http://openiddirectory.com/ Jeff ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu, May 29, 2008 at 9:01 AM, Jeffrey Ollie [EMAIL PROTECTED] wrote: 2008/5/29 Till Maas [EMAIL PROTECTED]: Here is an interesting blog article about security considerations wrt. openid: http://idcorner.org/2007/08/22/the-problems-with-openid/ While I don't have any specific replies to the issues that Stefan Brand points out in that article (I'm too new at the OpenID game), it should be noted that Stefan is the owner of a company that is developing a competing patented[1] technology that recently sold out to Microsoft[2]. However, David Recordon does have a rebuttal of Stefan's points[3]. [1] http://www.credentica.com/patent_portfolio.html [2] http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/ [3] http://daveman692.livejournal.com/310578.html I wouldn't dismiss his comments because of who he sold his patented technology to until people on the infrastructure team more familiar with OpenID and the security risks associated with it (I'm not that person either :-) ) have reviewed the article for merit. Stefan does post a follow-up comment to the David Recordon post. It seems people are divided on the security OpenID does or does not provide. It also seems to me an area where if OpenID is implemented there should be some people on the infrastructure team that understand the nuances of any security issues related to OpenID. We may have those people on the team already - in which case hearing their opinion on some of these articles would be useful. The phishing problem isn't unique to OpenID. No, it isn't unique to OpenID - but it is certainly an area we should take into account before implementing OpenID. With all of that said - I like the OpenID idea. And we run other services that have potential exposure to security issues (ssh, just our normal FAS logins, etc) - but we do make efforts to protect those services to the best of our ability to reduce our risk. I think we should do the same with an OpenID implementation. Sure the Infrastructure team can get OpenID to work, we just need to be sure someone also makes sure we have evaluated potential security concerns and addressed them when deemed appropriate. We may already have that person on the team - or we may need to spend the time to study some of the issues pointed out and determine if they are a valid risk and if so - how do we protect against it. ~Jeffrey ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
Ricky Zhou wrote: On 2008-05-29 09:16:09 AM, Nicu Buculei wrote: It *almost* worked for me, until an 500 Internal error in https://admin.fedoraproject.org/accounts/openid/allow Ah, good find. I just tried to fix a bug in that, can you try again with the same OpenID consumer and see if it works? Yes, it works now (the consumer was blogger.com) -- nicu :: http://nicubunu.ro :: http://nicubunu.blogspot.com Cool Fedora wallpapers: http://fedora.nicubunu.ro/wallpapers/ Open Clip Art Library: http://www.openclipart.org my Fedora stuff: http://fedora.nicubunu.ro ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu, 29 May 2008, Jeremy Katz wrote: Jeffrey Tadlock wrote: The phishing problem isn't unique to OpenID. No, it isn't unique to OpenID - but it is certainly an area we should take into account before implementing OpenID. With all of that said - I like the OpenID idea. And we run other services that have potential exposure to security issues (ssh, just our normal FAS logins, etc) - but we do make efforts to protect those services to the best of our ability to reduce our risk. ... and we should actually look at using our SSL certs more for authentication as opposed to requiring people to type their FAS password all over the place. This is something I keep meaning to bring up but then having other stuff come up instead. Actually we have some SSL auth in place already though I'm not totally sure the status of it. We haven't officially announced it I know that :) ricky? toshio? any comments? -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
On Thu May 29 2008, Kostas Georgiou wrote: I am not sure that I see any value in OpenID in any case, there are very few OpenID consumers that I know about. I would like to see many upstream bugtrackers allow ingan OpenID login, so that I do not need another new password and registration for them. Regards, Till signature.asc Description: This is a digitally signed message part. ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID
Mike McGrath wrote: Hey guys, so the last little bits are in good shape for the OpenID provider we're attempting to be. Don't go announcing this to others yet. Lets test it out, if it breaks something let us know. We'll be announcing it officially soon. You can, for example, log in to livejournal.com with: username.id.fedoraproject.org as your openID provider. For example, my openID url is mmcgrath.id.fedoraproject.org Cool. That works just fine. Rahul ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID and CLA
On Mon, 2008-05-26 at 20:11 -0500, Mike McGrath wrote: On Mon, 26 May 2008, Karsten 'quaid' Wade wrote: Just doing some thinking ... If we want to move our OpenID acceptance outside of Fedora's OpenID server, we'll have a blocker with the CLA. AIUI, we need someone to knowingly accept the CLA and have that tied to a Real Name and email address in our database. Right? Correct. However, OpenID could be a good way to get permissions to Talk: pages. That is a great way to get feedback from drive-bys, the kind of people who might take advantage of an OpenID to make a minor change on a page. nod I looked briefly into this but haven't totally come to a solution yet. Content in Talk: could be treated procedurally as we do bug reports. Maybe we can have a WikiLicense type of thing (FedoraProject:Copyrights link enough?) for that? Either way, Talk: could be a discussion area, cf. mailing lists and bugzilla, that may produce content. If someone gives specific wording and we want to use it, and now or later modify it, redistribute it, etc., it needs to be under the CLA and site license. This is comparable to receiving a patch via bugzilla where the contributor should include licensing text. Yeah, this is both a question for legal and a question to see what is technically feasible. OpenID is great, but once again the CLA continues to be the biggest blocker to growing our contributor base. -Mike It is my understanding that OpenID isn't about giving people unfettered access. It is about not having to type your information and remember passwords for 100 different sites. The idea behind federation is you can allow access from certain OpenID domains to specific resources (FAS still decides what gets served up) and you can also federate a Fedora user account with an OpenID account. For more sensitive operations you can still require the user type in their Fedora password or have a certificate. http://www.gnucitizen.org/blog/openid-a-security-story/ lists some OpenID concerns (a lot of which we prevent by using https). This issue is more than just an OpenID issue. In fact you can take OpenID out of the equation to ask, how do we allow people to join when the CLA is our biggest blocker. I think the correct answer here is the one being looked at which is to allow things like posting comments, bugs and setting up a user presence within Fedora should all be allowed without the CLA (bugs are already allowed this way). For all other things, as people want to do more the CLA is then presented as the next step. Putting OpenID back into the equation doesn't really change much other than a discussion on what level do we just accept OpenID and on what level do we make them federate with a Fedora account. Concentrating on the CLA bottleneck would make everything else possible. We have concluded that it is a necessity but I hope that doesn't mean we don't have any wiggle room. -- John (J5) Palmieri [EMAIL PROTECTED] ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID and CLA
On Mon, 26 May 2008, Jeffrey Ollie wrote: You don't have to limit the choices to only accept Fedora OpenID identities or allow any OpenID identity. It should be possible to limit out acceptance of OpenID identities to ones that have previously been associated with a FAS account. So before you could use your Yahoo or MyOpenID identity to login to the Fedora Wiki you'd have to log into FAS and register any other identities that you'd like to use. I don't know enough about the MediaWiki OpenID plugin to know if that would be easy or hard to do. You can only allow or deny certain OpenID servers, as far as I can tell. -- ian ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID and CLA
On Mon, 26 May 2008, Karsten 'quaid' Wade wrote: Just doing some thinking ... If we want to move our OpenID acceptance outside of Fedora's OpenID server, we'll have a blocker with the CLA. AIUI, we need someone to knowingly accept the CLA and have that tied to a Real Name and email address in our database. Right? Correct. However, OpenID could be a good way to get permissions to Talk: pages. That is a great way to get feedback from drive-bys, the kind of people who might take advantage of an OpenID to make a minor change on a page. nod I looked briefly into this but haven't totally come to a solution yet. Content in Talk: could be treated procedurally as we do bug reports. Maybe we can have a WikiLicense type of thing (FedoraProject:Copyrights link enough?) for that? Either way, Talk: could be a discussion area, cf. mailing lists and bugzilla, that may produce content. If someone gives specific wording and we want to use it, and now or later modify it, redistribute it, etc., it needs to be under the CLA and site license. This is comparable to receiving a patch via bugzilla where the contributor should include licensing text. Yeah, this is both a question for legal and a question to see what is technically feasible. OpenID is great, but once again the CLA continues to be the biggest blocker to growing our contributor base. -Mike ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Re: OpenID and CLA
2008/5/26 Karsten 'quaid' Wade [EMAIL PROTECTED]: If we want to move our OpenID acceptance outside of Fedora's OpenID server, we'll have a blocker with the CLA. AIUI, we need someone to knowingly accept the CLA and have that tied to a Real Name and email address in our database. Right? You don't have to limit the choices to only accept Fedora OpenID identities or allow any OpenID identity. It should be possible to limit out acceptance of OpenID identities to ones that have previously been associated with a FAS account. So before you could use your Yahoo or MyOpenID identity to login to the Fedora Wiki you'd have to log into FAS and register any other identities that you'd like to use. I don't know enough about the MediaWiki OpenID plugin to know if that would be easy or hard to do. Jeff ___ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list