Jeffrey Ollie jeff at
Thu May 29 13:01:19 UTC 2008

2008/5/29 Till Maas <opensource at>:
> On Thu May 29 2008, Mike McGrath wrote:
>> Hey guys, so the last little bits are in good shape for the OpenID
>> provider we're attempting to be.  Don't go announcing this to others yet.
>> Lets test it out, if it breaks something let us know.  We'll be announcing
>> it officially soon.  You can, for example, log in to with:
> The login to livejournal worked for me, too. But after I have seen how it
> works, I think it is too insecure to use the FAS password for authentication.
> This makes it pretty easy for any openid user to get the FAS password,
> because instead of really forwarding someone to the FAS homepage, one could
> just present the FAS login form to get the password. Here is an interesting
> blog article about security considerations wrt. openid:

While I don't have any specific replies to the issues that Stefan
Brand points out in that article (I'm too new at the OpenID game), it
should be noted that Stefan is the owner of a company that is
developing a competing patented[1] technology that recently sold out
to Microsoft[2].  However, David Recordon does have a rebuttal of
Stefan's points[3].



More information about the Fedora-infrastructure-list mailing list