Jeffrey Tadlock linux at
Thu May 29 14:42:03 UTC 2008

On Thu, May 29, 2008 at 9:01 AM, Jeffrey Ollie <jeff at> wrote:
> 2008/5/29 Till Maas <opensource at>:
>> Here is an interesting
>> blog article about security considerations wrt. openid:
> While I don't have any specific replies to the issues that Stefan
> Brand points out in that article (I'm too new at the OpenID game), it
> should be noted that Stefan is the owner of a company that is
> developing a competing patented[1] technology that recently sold out
> to Microsoft[2].  However, David Recordon does have a rebuttal of
> Stefan's points[3].
> [1]
> [2]
> [3]

I wouldn't dismiss his comments because of who he sold his patented
technology to until people on the infrastructure team more familiar
with OpenID and the security risks associated with it (I'm not that
person either :-)  ) have reviewed the article for merit.  Stefan does
post a follow-up comment to the David Recordon post.

It seems people are divided on the security OpenID does or does not
provide.  It also seems to me an area where if OpenID is implemented
there should be some people on the infrastructure team that understand
the nuances of any security issues related to OpenID.  We may have
those people on the team already - in which case hearing their opinion
on some of these articles would be useful.

> The phishing problem isn't unique to OpenID.

No, it isn't unique to OpenID - but it is certainly an area we should
take into account before implementing OpenID.

With all of that said - I like the OpenID idea.  And we run other
services that have potential exposure to security issues (ssh, just
our normal FAS logins, etc) - but we do make efforts to protect those
services to the best of our ability to reduce our risk.  I think we
should do the same with an OpenID implementation.  Sure the
Infrastructure team can get OpenID to work, we just need to be sure
someone also makes sure we have evaluated potential security concerns
and addressed them when deemed appropriate.  We may already have that
person on the team - or we may need to spend the time to study some of
the issues pointed out and determine if they are a valid risk and if
so - how do we protect against it.


More information about the Fedora-infrastructure-list mailing list