Open ID

We know you have an opinion on how things should be run around here. These are suggestions for the forums, and the website.This forum is not a place to ask for suggestions to your own coding (or otherwise) problems.

Moderator: General Moderators

Should Open ID be one of the available login options for DevNet?

Poll ended at Sat Jun 16, 2007 2:46 pm

Yes
3
75%
No
1
25%
 
Total votes: 4

User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Open ID

Post by Ollie Saunders »

Wouldn't it be nice if DevNet allowed Open ID logins.
Is there any chance this would be allowed/possible?
Last edited by Ollie Saunders on Mon Jun 11, 2007 2:46 pm, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Looks like shibboleth. I personally see these things as a major security risk. Lose your password to a theif and they have access to all sites which use it and this number seems to be growing. I also don't like the idea of a 3rd-party dealing with my authentication process. We've had a lot of schools asking us to change our authentication procedure to use this even though a login to our system provides potentially very sensitive student data. We've opted not to use it for the same reasons I just mentioned. Don't put all your eggs in one basket.

EDIT | My post is confusing. By "our", I was referring to my job.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

We've been discussing this in one form or another for some time. In fact, I think it's been mentioned to the "public" before.

:)

The references I can verify are in Project PU. To access them you will need to be in the Revival Corp user group.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Is it really that insecure? Surely considering the stakes you have just mentioned Open ID providers would be highly conscious of all security issues. Also we don't know that PHP BB's login is safe. I'm quite sure I could spoof a few passwords if I wanted to given the user list is publicly available. <disclaimer>Not that I would do such a thing or have ever in the past.</disclaimer>
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I wasn't referring to "breaking" their security. I was referring to the implication of leaked passwords having a far greater impact when that password gets you onto multiple systems. I actually hadn't noticed the thread ~feyd pointed to, so I apologise for giving seemingly conflictig views with what was dicussed in that thread.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

I've yet to be approved as a member of that group so I can't see the thread.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

I just had a look to see if I could approve you but I can't because I'm not an admin sorry :( We'll have to wait for ~feyd, ~Burrito or ~Jaybird to pick up the list :)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I'd vote against open id, or at least opt out.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

Isn't the point of openID that you're in control of your own security?

I'd vote for openID support, but not as a replacement for the standard login.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Agreed. Theoretically speaking, the strength of your OpenID is as strong as the ownership of your URL is. If the URL you're using is provided by a third-party provider like Verizon SPIP, you are trusting their security (including password). If you roll your own URL, you have complete control over your identity: it is your system that is responsible for keeping the password secure, etc. It also makes changing the password after a hijacking much easier.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Ho hum ;)

OpenID is a decentralised system. You can host your own server on your own domain and use it to authenticate yourself. The only real issue with OpenID which makes a third party more attractive is that you need to retain your domain. If you lose it, your identity is lost. If you do trust a third party you can still use your domain (or any subdomain) as an alias (you can have any number of personal aliases pointing to the same 3rd party id root) with the advantage its not tied to a specific personal domain indefinitely. An alias only requires an embedded meta tag in a domain's index page.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

I added a poll.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

:?

I've been following this thread since yesterday hoping for a hint as to what OpenID was. I'm clueless.
User avatar
guitarlvr
Forum Contributor
Posts: 245
Joined: Wed Mar 21, 2007 10:35 pm

Post by guitarlvr »

User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Grr. Damned 56k.

Basically, you can use it to store your passwords somewhere else and login...? (I couldn't see the whole thing... Just right up to the part where he was about to login to something.)
Post Reply