On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote: > On Thu May 29 2008, Mike McGrath wrote: > > Hey guys, so the last little bits are in good shape for the OpenID > > provider we're attempting to be. Don't go announcing this to others yet. > > Lets test it out, if it breaks something let us know. We'll be announcing > > it officially soon. You can, for example, log in to livejournal.com with: > > The login to livejournal worked for me, too. But after I have seen how it > works, I think it is too insecure to use the FAS password for authentication. > This makes it pretty easy for any openid user to get the FAS password, > because instead of really forwarding someone to the FAS homepage, one could > just present the FAS login form to get the password. Here is an interesting > blog article about security considerations wrt. openid: > http://idcorner.org/2007/08/22/the-problems-with-openid/ A possible solution to the phishing issue might be to only allow ssl client auth and not a login/password for a.fp.org/accounts/openid/login this doesn't stop the phishing site asking for a password but the difference might be enough for the user to notice that something is wrong. I am not sure that I see any value in OpenID in any case, there are very few OpenID consumers that I know about. Kostas _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
