Kostas Georgiou k.georgiou at
Thu May 29 13:03:03 UTC 2008

On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote:

> On Thu May 29 2008, Mike McGrath wrote:
> > Hey guys, so the last little bits are in good shape for the OpenID
> > provider we're attempting to be.  Don't go announcing this to others yet.
> > Lets test it out, if it breaks something let us know.  We'll be announcing
> > it officially soon.  You can, for example, log in to with:
> The login to livejournal worked for me, too. But after I have seen how it 
> works, I think it is too insecure to use the FAS password for authentication. 
> This makes it pretty easy for any openid user to get the FAS password, 
> because instead of really forwarding someone to the FAS homepage, one could 
> just present the FAS login form to get the password. Here is an interesting 
> blog article about security considerations wrt. openid:

A possible solution to the phishing issue might be to only allow ssl
client auth and not a login/password for
this doesn't stop the phishing site asking for a password but the
difference might be enough for the user to notice that something is

I am not sure that I see any value in OpenID in any case, there are very
few OpenID consumers that I know about.


More information about the Fedora-infrastructure-list mailing list