Comments on: Microsoft Jumps on OpenID Bandwagon

By: myrdhrin

myrdhrin — Wed, 29 Oct 2008 13:50:17 +0000

Anthony… sorry for the typo in your name

By: myrdhrin

myrdhrin — Wed, 29 Oct 2008 13:49:46 +0000

Well said Bling…

Anothony… I don’t want to sound harsh but those “innocent people” have to take responsibility as some point for their online identity. As we have to take responsibility for educating them.

A cheap lock would not be considered the safe way to lock away your money… why would an account at “cheap” OpenID host be more safe?

By: Rowland Watkins

Rowland Watkins — Wed, 29 Oct 2008 09:12:10 +0000

While having yet another provider is an additional tick in the box, there remains fundamental issues regarding OpenID’s susceptibility to third-part phishing attacks and DNS poisoning. Coupled to this is the problem that while there are numerous OpenID providers, few Relying Parties are prepared to accept arbitrary assertions from the ABC Provider – also noted by @Bling. OpenID then becomes less secure and no better than the likes of Shibboleth, which at least is based on SAML and PKI standards (OASIS and IETF).

@Bling makes some good points about trust. Ultimately, in the real world trust is defined through business relationships and the EULA a user has with a Relying Party. Users need to understand that they have responsibilities based on the identity assertion that has been given to them by the “identity provider” (federated or otherwise).

OpenID still shows itself to be a community effort, rather than a concerted force to improve a user’s experience of so-called single sign-on – this is clear from its origins. Surely it would be more appropriate to send the specs to OASIS or W3C and bring the larger community in?

By: Bling

Bling — Tue, 28 Oct 2008 22:52:34 +0000

You always need some level of trust in a security system. I have to trust (to some level) that when someone logs into my website they are who they say they are. They have to trust that I take their security seriously.

If you do some research on basic security principals you want to keep the trust to a minimum. To use an analogy think of trust like links in a chain. Not only is the chain as strong as the weakest link, but the more links you have increases your chance of it breaking.

By: Anthony

Anthony — Tue, 28 Oct 2008 22:43:54 +0000

@myrdhrin

So this is a process of trial and error? An openID host becomes compromised, it get’s blacklisted / never to be ‘trusted’ again?

I wonder how many innocent peoples lives will be destroyed during the process, what with their bank account, business, etc. logins having been stolen.

By: myrdhrin

myrdhrin — Tue, 28 Oct 2008 16:00:34 +0000

@Bling

Unless I’m mistaken whichever site accepting an OpenID can choose which source it can accept or not making the point of “anyone can host an OpenID server” moot.

Authentication is based on trust anyway. The user signin on your website is trusting you won’t do any harm with the information they gave you. The Certification provided by a CA Root is only as valid as the trust you put in that CA.

OpenID is not different at that level. What I see happening is a list of servers that cannot be trusted and that website should/could ignore.

Jean-Marc

By: Sojan80

Sojan80 — Tue, 28 Oct 2008 01:07:22 +0000

I’d agree… Isn’t the whole purpose behind OpenId and single one web, one sign-on? I mean so now what, we need two OpenId accounts? It’s a bit like screen oors on submarines if you ask me.

By: Bling

Bling — Tue, 28 Oct 2008 01:01:08 +0000

“OpenID is fundamentally a sound idea”. OpenID is good in theory, and that’s where it should end. The whole system is based on trust. As it was clearly pointed out at Web Directions South, OpenID shouldn’t be used by Banking Systems or any high level security system. If they can’t recommend it for banking solutions, it can’t be all that secure then.

Not to mention anyone can host an OpenID server. Anyone… This means people without any idea of basic security principals.

By: roosevelt

roosevelt — Mon, 27 Oct 2008 22:48:31 +0000

Awesome, sounds good :). But its bit pointless if we can’t login to microsoft sites with openid obtained elsewhere.