On Thu, May 29, 2008 at 9:01 AM, Jeffrey Ollie <jeff@xxxxxxxxxx> wrote: > 2008/5/29 Till Maas <opensource@xxxxxxxxx>: >> Here is an interesting >> blog article about security considerations wrt. openid: >> http://idcorner.org/2007/08/22/the-problems-with-openid/ > > While I don't have any specific replies to the issues that Stefan > Brand points out in that article (I'm too new at the OpenID game), it > should be noted that Stefan is the owner of a company that is > developing a competing patented[1] technology that recently sold out > to Microsoft[2]. However, David Recordon does have a rebuttal of > Stefan's points[3]. > > [1] http://www.credentica.com/patent_portfolio.html > [2] http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/ > [3] http://daveman692.livejournal.com/310578.html I wouldn't dismiss his comments because of who he sold his patented technology to until people on the infrastructure team more familiar with OpenID and the security risks associated with it (I'm not that person either :-) ) have reviewed the article for merit. Stefan does post a follow-up comment to the David Recordon post. It seems people are divided on the security OpenID does or does not provide. It also seems to me an area where if OpenID is implemented there should be some people on the infrastructure team that understand the nuances of any security issues related to OpenID. We may have those people on the team already - in which case hearing their opinion on some of these articles would be useful. > The phishing problem isn't unique to OpenID. No, it isn't unique to OpenID - but it is certainly an area we should take into account before implementing OpenID. With all of that said - I like the OpenID idea. And we run other services that have potential exposure to security issues (ssh, just our normal FAS logins, etc) - but we do make efforts to protect those services to the best of our ability to reduce our risk. I think we should do the same with an OpenID implementation. Sure the Infrastructure team can get OpenID to work, we just need to be sure someone also makes sure we have evaluated potential security concerns and addressed them when deemed appropriate. We may already have that person on the team - or we may need to spend the time to study some of the issues pointed out and determine if they are a valid risk and if so - how do we protect against it. ~Jeffrey _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
