[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] OpenID security? Is it a joke?

From: Davi Leal
Subject: Re: [Savannah-users] OpenID security? Is it a joke?
Date: Sat, 1 Aug 2009 00:44:14 +0100
User-agent: KMail/1.9.9

Sylvain Beucler wrote:
> Davi wrote:
> > Karl Goetz wrote:
> > > OpenID consumer support?
> >
> > No, please!  It is weak in security. I would like do not have to repeat
> > here the discussion with dachary at IRC about the security weakness of
> > the OpenID standard.
> >
> > Please, do not build infrastructures on weak bases!

> - when things are moving off-topic, please change the subject

I was not talking about single sign-on, because in the proposed solution users 
have to authenticate in each webapp, even if they are already authenticated 
in another one.

The proposed integration solution was just to enable a user Savannah user the 
GNU Herds webapp without registering. The can just login directly using the 
same Savannah authentication data and the GNU Herds webapp will autoregister 

 Definition: "Single sign-on (SSO) is a property of access control
              of multiple, related, but independent software systems.
              With this property a user logs in once and gains access
              to all systems without being prompted to log in again
              at each of them."


> - back up your claims
> Last time I discussed OpenID I understood it was an evolving
> technology, so facts from 1 or 2 years ago probably don't apply
> anymore, and was otherwise secure. AFAIU the main weakness would be a
> use of shared-key cryptography on the first sp<->idp connection - are
> you refering to that?.

Read . Please read 
references too. You ask for information, so read and understand all them.

That is because a private and encrypted communication channel (VPN) is the 
best to avoid this issues.

With the VPN you avoid man-in-the-middle attacks.  There are lot of attacks 
paths being the basic one based on the DNS service weakness.  I hope do not 
have to explain all the security involved knowled because it is a lot to 

Do you know any bank which offer OpenID as authentication mechanism? Realize a 
good analysis please.

I could be mistaken, as usual. Please let me know.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]