Re: OpenID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote:

> On Thu May 29 2008, Mike McGrath wrote:
> > Hey guys, so the last little bits are in good shape for the OpenID
> > provider we're attempting to be.  Don't go announcing this to others yet.
> > Lets test it out, if it breaks something let us know.  We'll be announcing
> > it officially soon.  You can, for example, log in to livejournal.com with:
> 
> The login to livejournal worked for me, too. But after I have seen how it 
> works, I think it is too insecure to use the FAS password for authentication. 
> This makes it pretty easy for any openid user to get the FAS password, 
> because instead of really forwarding someone to the FAS homepage, one could 
> just present the FAS login form to get the password. Here is an interesting 
> blog article about security considerations wrt. openid:
> http://idcorner.org/2007/08/22/the-problems-with-openid/

A possible solution to the phishing issue might be to only allow ssl
client auth and not a login/password for a.fp.org/accounts/openid/login
this doesn't stop the phishing site asking for a password but the
difference might be enough for the user to notice that something is
wrong.

I am not sure that I see any value in OpenID in any case, there are very
few OpenID consumers that I know about.

Kostas 

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux