Open ID
Moderator: General Moderators
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Open ID
Wouldn't it be nice if DevNet allowed Open ID logins.
Is there any chance this would be allowed/possible?
Is there any chance this would be allowed/possible?
Last edited by Ollie Saunders on Mon Jun 11, 2007 2:46 pm, edited 1 time in total.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Looks like shibboleth. I personally see these things as a major security risk. Lose your password to a theif and they have access to all sites which use it and this number seems to be growing. I also don't like the idea of a 3rd-party dealing with my authentication process. We've had a lot of schools asking us to change our authentication procedure to use this even though a login to our system provides potentially very sensitive student data. We've opted not to use it for the same reasons I just mentioned. Don't put all your eggs in one basket.
EDIT | My post is confusing. By "our", I was referring to my job.
EDIT | My post is confusing. By "our", I was referring to my job.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Is it really that insecure? Surely considering the stakes you have just mentioned Open ID providers would be highly conscious of all security issues. Also we don't know that PHP BB's login is safe. I'm quite sure I could spoof a few passwords if I wanted to given the user list is publicly available. <disclaimer>Not that I would do such a thing or have ever in the past.</disclaimer>
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
I wasn't referring to "breaking" their security. I was referring to the implication of leaked passwords having a far greater impact when that password gets you onto multiple systems. I actually hadn't noticed the thread ~feyd pointed to, so I apologise for giving seemingly conflictig views with what was dicussed in that thread.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Agreed. Theoretically speaking, the strength of your OpenID is as strong as the ownership of your URL is. If the URL you're using is provided by a third-party provider like Verizon SPIP, you are trusting their security (including password). If you roll your own URL, you have complete control over your identity: it is your system that is responsible for keeping the password secure, etc. It also makes changing the password after a hijacking much easier.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Ho hum 
OpenID is a decentralised system. You can host your own server on your own domain and use it to authenticate yourself. The only real issue with OpenID which makes a third party more attractive is that you need to retain your domain. If you lose it, your identity is lost. If you do trust a third party you can still use your domain (or any subdomain) as an alias (you can have any number of personal aliases pointing to the same 3rd party id root) with the advantage its not tied to a specific personal domain indefinitely. An alias only requires an embedded meta tag in a domain's index page.
OpenID is a decentralised system. You can host your own server on your own domain and use it to authenticate yourself. The only real issue with OpenID which makes a third party more attractive is that you need to retain your domain. If you lose it, your identity is lost. If you do trust a third party you can still use your domain (or any subdomain) as an alias (you can have any number of personal aliases pointing to the same 3rd party id root) with the advantage its not tied to a specific personal domain indefinitely. An alias only requires an embedded meta tag in a domain's index page.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm