Comment 25 for bug 1169
Revision history for this message
| Sami Haahtinen (ressu) wrote Re: [Bug 1169] on OpenID provider clearinghouses | #25 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
a60fb26
(Get the code!)
On Fri, 2007-09-14 at 20:17 +0000, BUGabundo wrote:
> I must say I'm against any kind of descrimination.
> So you trust the user is able to keep is password secure but not is
> OpenID?
> I use it 'cause I want to get reed of my passwords, and logint to my
> OpenID with a SSL cert via HTTPS (SSL) so its much more secure then me
> entering
> my passord in most sites that I use.
I think the main concern with OpenID is that you need one slip and you
loose your OpenID account and since most providers keep logs of sites
you log in to, it is quite straightforward to see where you could keep
important data.
As with single passwords one would have to guess which sites the user
visits and hope that those sites use the same passwords.
Problem is the same, but the scale of the damage is worse with OpenID.
While it is true that it isn't really a problem in the OpenID protocol
itself it poses a security problem to launchpad users. A single
compromised account could potentially lead to catastrophic scenarios.
Personally I use SSL login and verisign OpenID helper for firefox which
makes things quite safe for me (it makes me login before i submit the
form). This isn't the case for everyone and sadly it takes just one..
Many sites will have to do this kind of evaluation for the level of
trust for OpenID. OpenID is a convenience thing after all.
--
Sami Haahtinen <email address hidden>