Page 1 of 2

Open ID

Posted: Sun Jun 10, 2007 7:01 am
by Ollie Saunders
Wouldn't it be nice if DevNet allowed Open ID logins.
Is there any chance this would be allowed/possible?

Posted: Sun Jun 10, 2007 7:08 am
by Chris Corbyn
Looks like shibboleth. I personally see these things as a major security risk. Lose your password to a theif and they have access to all sites which use it and this number seems to be growing. I also don't like the idea of a 3rd-party dealing with my authentication process. We've had a lot of schools asking us to change our authentication procedure to use this even though a login to our system provides potentially very sensitive student data. We've opted not to use it for the same reasons I just mentioned. Don't put all your eggs in one basket.

EDIT | My post is confusing. By "our", I was referring to my job.

Posted: Sun Jun 10, 2007 7:24 am
by feyd
We've been discussing this in one form or another for some time. In fact, I think it's been mentioned to the "public" before.

:)

The references I can verify are in Project PU. To access them you will need to be in the Revival Corp user group.

Posted: Sun Jun 10, 2007 11:16 am
by Ollie Saunders
Is it really that insecure? Surely considering the stakes you have just mentioned Open ID providers would be highly conscious of all security issues. Also we don't know that PHP BB's login is safe. I'm quite sure I could spoof a few passwords if I wanted to given the user list is publicly available. <disclaimer>Not that I would do such a thing or have ever in the past.</disclaimer>

Posted: Sun Jun 10, 2007 11:38 am
by Chris Corbyn
I wasn't referring to "breaking" their security. I was referring to the implication of leaked passwords having a far greater impact when that password gets you onto multiple systems. I actually hadn't noticed the thread ~feyd pointed to, so I apologise for giving seemingly conflictig views with what was dicussed in that thread.

Posted: Sun Jun 10, 2007 12:40 pm
by Ollie Saunders
I've yet to be approved as a member of that group so I can't see the thread.

Posted: Sun Jun 10, 2007 12:49 pm
by Chris Corbyn
I just had a look to see if I could approve you but I can't because I'm not an admin sorry :( We'll have to wait for ~feyd, ~Burrito or ~Jaybird to pick up the list :)

Posted: Sun Jun 10, 2007 1:00 pm
by Benjamin
I'd vote against open id, or at least opt out.

Posted: Sun Jun 10, 2007 3:38 pm
by Kieran Huggins
Isn't the point of openID that you're in control of your own security?

I'd vote for openID support, but not as a replacement for the standard login.

Posted: Sun Jun 10, 2007 10:08 pm
by Ambush Commander
Agreed. Theoretically speaking, the strength of your OpenID is as strong as the ownership of your URL is. If the URL you're using is provided by a third-party provider like Verizon SPIP, you are trusting their security (including password). If you roll your own URL, you have complete control over your identity: it is your system that is responsible for keeping the password secure, etc. It also makes changing the password after a hijacking much easier.

Posted: Mon Jun 11, 2007 6:25 am
by Maugrim_The_Reaper
Ho hum ;)

OpenID is a decentralised system. You can host your own server on your own domain and use it to authenticate yourself. The only real issue with OpenID which makes a third party more attractive is that you need to retain your domain. If you lose it, your identity is lost. If you do trust a third party you can still use your domain (or any subdomain) as an alias (you can have any number of personal aliases pointing to the same 3rd party id root) with the advantage its not tied to a specific personal domain indefinitely. An alias only requires an embedded meta tag in a domain's index page.

Posted: Mon Jun 11, 2007 2:47 pm
by Ollie Saunders
I added a poll.

Posted: Mon Jun 11, 2007 3:32 pm
by superdezign
:?

I've been following this thread since yesterday hoping for a hint as to what OpenID was. I'm clueless.

Posted: Mon Jun 11, 2007 3:40 pm
by guitarlvr

Posted: Mon Jun 11, 2007 4:08 pm
by superdezign
Grr. Damned 56k.

Basically, you can use it to store your passwords somewhere else and login...? (I couldn't see the whole thing... Just right up to the part where he was about to login to something.)