Re: OpenID

[MJ Ray]

"Antenore Gatta" <address@hidden> wrote:
> On Mon, Jun 2, 2008 at 9:27 AM, Davi Leal <address@hidden> wrote:
> > > Proposed roadmap:
> > >   5. Analyze the OpenID idea.
> > >      It was task: http://savannah.nongnu.org/task/?6782
> >
> > I propose the project do not use any OpenID shared identity services. If
> > nobody disagree we should close such task adding a reference to the below
> > rationale:
>
> I disagree, this point must be discussed, because it's not true that OpenID
> is not secure at all and it's not true that OpenID it's safe at all.
[...]
> Gnuherds can always choose a limited numebr of OpenID providers, as soon as
> we will discover one of these providers has been exploited, we can remove it
> from the list.

Generally, I agree with Antenore on this - OpenID is probably more
secure that only accepting GNUHerds Cookie authentication.  I control
my OpenID server, usually remember its password and will probably
notice any strange behaviour from it (it logs where I've logged in,
for example), whereas for many other sites, I either have their
passwords saved in something like Mozilla Personal Security Manager or
frequently request password resets, neither of which are as secure, in
my opinion.

Could we simply hold unknown OpenID providers for approval and build
whitelists and blacklists over time?

Regards,
-- 
MJ Ray (slef)
Webmaster for hire, statistician and online shop builder for a small
worker cooperative http://www.ttllp.co.uk/ http://mjr.towers.org.uk/
(Notice http://mjr.towers.org.uk/email.html) tel:+44-844-4437-237