OpenID

Kostas Georgiou k.georgiou at imperial.ac.uk
Thu May 29 13:03:03 UTC 2008


On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote:

> On Thu May 29 2008, Mike McGrath wrote:
> > Hey guys, so the last little bits are in good shape for the OpenID
> > provider we're attempting to be.  Don't go announcing this to others yet.
> > Lets test it out, if it breaks something let us know.  We'll be announcing
> > it officially soon.  You can, for example, log in to livejournal.com with:
> 
> The login to livejournal worked for me, too. But after I have seen how it 
> works, I think it is too insecure to use the FAS password for authentication. 
> This makes it pretty easy for any openid user to get the FAS password, 
> because instead of really forwarding someone to the FAS homepage, one could 
> just present the FAS login form to get the password. Here is an interesting 
> blog article about security considerations wrt. openid:
> http://idcorner.org/2007/08/22/the-problems-with-openid/

A possible solution to the phishing issue might be to only allow ssl
client auth and not a login/password for a.fp.org/accounts/openid/login
this doesn't stop the phishing site asking for a password but the
difference might be enough for the user to notice that something is
wrong.

I am not sure that I see any value in OpenID in any case, there are very
few OpenID consumers that I know about.

Kostas 




More information about the Fedora-infrastructure-list mailing list