OpenID
Kostas Georgiou
k.georgiou at imperial.ac.uk
Thu May 29 13:03:03 UTC 2008
On Thu, May 29, 2008 at 12:07:43PM +0200, Till Maas wrote:
> On Thu May 29 2008, Mike McGrath wrote:
> > Hey guys, so the last little bits are in good shape for the OpenID
> > provider we're attempting to be. Don't go announcing this to others yet.
> > Lets test it out, if it breaks something let us know. We'll be announcing
> > it officially soon. You can, for example, log in to livejournal.com with:
>
> The login to livejournal worked for me, too. But after I have seen how it
> works, I think it is too insecure to use the FAS password for authentication.
> This makes it pretty easy for any openid user to get the FAS password,
> because instead of really forwarding someone to the FAS homepage, one could
> just present the FAS login form to get the password. Here is an interesting
> blog article about security considerations wrt. openid:
> http://idcorner.org/2007/08/22/the-problems-with-openid/
A possible solution to the phishing issue might be to only allow ssl
client auth and not a login/password for a.fp.org/accounts/openid/login
this doesn't stop the phishing site asking for a password but the
difference might be enough for the user to notice that something is
wrong.
I am not sure that I see any value in OpenID in any case, there are very
few OpenID consumers that I know about.
Kostas
More information about the Fedora-infrastructure-list
mailing list