Hey Paul,
some valid points indeed but let me inline some of my thoughts. read on.
On Sun, Mar 23, 2008 at 10:37 PM, Paul Schmehl [EMAIL PROTECTED] wrote:
--On March 23, 2008 2:52:53 PM + Petko D. Petkov
[EMAIL PROTECTED] wrote:
First of all, OpenID is a very simple but rather
deer reepex,
every single time. :) yet another prove that you are troll. why don't
you come up with something constructive for a change? the email thread
reads OpenID. The future of authentication on the web? not how to
troll full-disclosure, reepex style. FYI, do you research and
show
Petko D. Petkov wrote:
As I said, if you don't trust public OpenID providers, roll your own.
It is very, very, very easy.
You seem to miss one point, in the current online environment you are
not talking about 5 or 6 id/credentials but more like 20 to 30.
(remember each blog you post to,
Indeed but this can be a subsystem, a feature of the OpenID provider.
For example, some OpenID providers have the feature to choose
different persons depending on the usage. So it will be easier to
safeguard a persona within one openid provider. So for example, in my
current OpenID setup I have
agree :)
On Mon, Mar 24, 2008 at 10:50 AM, Gorn [EMAIL PROTECTED] wrote:
Petko D. Petkov wrote:
Indeed but this can be a subsystem, a feature of the OpenID provider.
For example, some OpenID providers have the feature to choose
different persons depending on the usage. So it will be
The correct solution, IMO, would be an encrypted password vault,
stored on a USB drive and only available through the use of a password
and some other form of identification (biometric, etc.)
What about kiosks and other situations where it wouldn't be secure to
allow arbitrary people to
Let's put it this way,
It is easy to prevent phishing attacks against OpenID on the
client-side with browser extensions. In fact, I think that Firefox
will make this feature a default in their upcoming versions. It could
work exactly the same as the current trusted certificate authorities
every
Let's be realistic here. It's not about the technical
feasibility, it's about an open standard people trust
and have bought into. This is what Information Cards
are in my mind, much the same as OpenID.
Sure you could go out and create an extension to serve
the same purpose in your own way, but
I would disagree. One could simply create a template password and then salt
it with some acronym for the site in question.
For instance, S0m3p4ss!### where ### is a 3-letter acronym for the site they
are accessing. Still need only one password to remember and you don't
necessarily have a single
For instance, S0m3p4ss!### where ### is a 3-letter acronym for the
site they are accessing. Still need only one password to remember and
you don't necessarily have a single point of 0wnership anymore.
I've never understood this strategy. Once I compromise your
S0m3p4ss!ama password for
For the automated low-hanging fruit attacks, they won't crack. They're
simply trawling for passwords and rarely do they even think to cross-check.
For someone to spend the kind of thought and attention the victim has to be
specifically targetted.
Now, to be fair, I only advocate that strategy
--On Monday, March 24, 2008 09:13:38 + Petko D. Petkov
[EMAIL PROTECTED] wrote:
Yes, and convenience is often the enemy of security.
Not always. I think complexity is the enemy of security. The simpler
the system is the less chance to screw up, the more secure it is. It
is much easier
Well in my case it's easy... how many people do you know named John Bambenek
(my father doesn't count)? :)
I was just speaking about passwords in that case, presumably people can
remember their email addresses.
On Mon, Mar 24, 2008 at 10:17 AM, Petko D. Petkov
[EMAIL PROTECTED] wrote:
what
on your last comment,
OpenID is exactly design for that! To give the power back to the user!
On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote:
--On Monday, March 24, 2008 09:13:38 + Petko D. Petkov
[EMAIL PROTECTED] wrote:
Yes, and convenience is often the
I'm not saying OpenID is more convenient and has benefits... I was just
saying there are conventions to make passwords unique per-site.
So if you don't mind getting past the single point of 0wnership, then OpenID
is good to go. Me, I don't trust technology.
On Mon, Mar 24, 2008 at 10:27 AM,
When it comes to IT... the user is the *last* person I want empowered.
On Mon, Mar 24, 2008 at 10:21 AM, Petko D. Petkov
[EMAIL PROTECTED] wrote:
on your last comment,
OpenID is exactly design for that! To give the power back to the user!
On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl
as I said, some websites ask you for a username regardless whether
that will be an email address. and unfortunately a username is not
unique through out the Web. which means that if your username is
john-bambenek on one system it could be completely different on
another system due the fact that
comments inlined
On Mon, Mar 24, 2008 at 3:10 PM, Paul Schmehl [EMAIL PROTECTED] wrote:
--On Monday, March 24, 2008 09:13:38 + Petko D. Petkov
[EMAIL PROTECTED] wrote:
Yes, and convenience is often the enemy of security.
Not always. I think complexity is the enemy of
what about usernames? you still need to keep track of your usernames
since sometimes your preferred username is either taken or not
possible or you need to login via email or any other peculiarity the
site supports.
On Mon, Mar 24, 2008 at 2:43 PM, John C. A. Bambenek, GCIH, CISSP
[EMAIL
Wanted the below to go to the list.
-
Abe Getchell
[EMAIL PROTECTED]
http://abegetchell.com/
Forwarded Message
From: Abe Getchell [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: Paul Schmehl [EMAIL PROTECTED]
Subject: Re: [Full-disclosure] OpenID. The future of
Hello list,
I'm curious what the group thinks about the recent
surge in support for OpenID across the web and the
impact it will have.
1) Beemba - http://www.beemba.com
2) ClaimID - http://www.claimid.com
3) MyOpenID - http://www.myopenid.com
4) Many others...
These sites are gaining in
--On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick
[EMAIL PROTECTED] wrote:
Hello list,
I'm curious what the group thinks about the recent
surge in support for OpenID across the web and the
impact it will have.
1) Beemba - http://www.beemba.com
2) ClaimID - http://www.claimid.com
There're more complications: who owns/controls the service can track
down your movements between different webplaces, profiling your common
habits/preferences. How long before banners will follow your navigation
trough different websites where you use the same identity token?
CtrlAltCa
Paul
OpenID represents (at least to the OSS world) the unified login structure
that has been the proprietary advantage of Microsoft for so long. This will
be an excellent technology for business to use internally (who control their
own servers and services). It allows the capabilities of Single Sign
Hi Steven,
I guess most 1337 hax0rs will flame you on this list. There are good
security blogs you can follow and learn from instead. Full-disclosure
is for rants and bashing only!
I can point you to some articles that I wrote regarding OpenID,
however, let me share my thoughts quickly as that
thats right pdp - go run to your protected lists and blogs where you don't
have to hear anything negative and where you can flame people without
contest who talk against you.
you are another Bill O Reilly and everyone thinks of you as such. enjoy your
sheep.
On Sun, Mar 23, 2008 at 9:52 AM,
--On March 23, 2008 2:52:53 PM + Petko D. Petkov
[EMAIL PROTECTED] wrote:
First of all, OpenID is a very simple but rather useful technology.
With OpenID you have only one account, your ID, which you can use
everywhere where the OpenID technology is supported. It is not clear
whether
It's worth pointing out that some OpenID providers are better than
others. An OpenID provider could implement 2-factor authentication, and
some have
(http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H
ardware/), or other features which could strengthen it.
Larry Seltzer
Many of you have brought up that OpenID is vulnerable
to phishing and have highlighted weaknesses specific
traditional username/password authentication.
This was the main reason I bought up Information Cards
in my original post. I've noticed that Beemba
(http://www.beemba.com) and MyOpenID
--On March 23, 2008 4:16:28 PM -0700 Steven Rakick
[EMAIL PROTECTED] wrote:
Many of you have brought up that OpenID is vulnerable
to phishing and have highlighted weaknesses specific
traditional username/password authentication.
This was the main reason I bought up Information Cards
in my
--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer
[EMAIL PROTECTED] wrote:
It's worth pointing out that some OpenID providers are better than
others. An OpenID provider could implement 2-factor authentication, and
some have
On 3/23/08, Larry Seltzer [EMAIL PROTECTED] wrote:
I understand the attractiveness of not having to remember lots of IDs
and passwords, but when you give up control of your data, you give up
control of your future.
Normal people aren't going to remember enough passwords, let alone
strong
I'm not sure why it isn't on their home page any more.
It used to be. Their FAQ is at:
http://www.beemba.com/faq.aspx.
On Sun, Mar 23, 2008 at 8:46 PM, Paul Schmehl
[EMAIL PROTECTED] wrote:
--On March 23, 2008 8:04:41 PM -0400 Larry Seltzer
[EMAIL PROTECTED] wrote:
I understand the
33 matches
Mail list logo