What's standing in the way of unified login for the various Wine sites (appdb, wiki, Bugzilla)?
Is there anyone running any of these sites who doesn't consider single unified login a good idea?
- d.
On Sun, Mar 22, 2009 at 9:18 AM, David Gerard dgerard@gmail.com wrote:
What's standing in the way of unified login for the various Wine sites (appdb, wiki, Bugzilla)?
Someone to do the work to combine the logins and implement the infrastructure.
Is there anyone running any of these sites who doesn't consider single unified login a good idea?
AppDB/Bugzilla/Forums are all hosted by WineHQ (sponsored by Codeweavers). The Wiki is run/sponsored by Lattica (Dimi Paun).
Maybe add openid support and let users connect existing accouts to one openid?
-- Igor
On Sunday 22 March 2009 17:29:33 Igor Tarasov wrote:
Maybe add openid support and let users connect existing accouts to one openid?
We decided to go for a secure system, if at all. OpenID was discussed and quickly dropped at the last WineConf.
Google for "openid security issues" to see what I'm talking about.
Cheers, Kai
On Sun, Mar 22, 2009 at 05:39:53PM +0100, Kai Blin wrote:
On Sunday 22 March 2009 17:29:33 Igor Tarasov wrote:
Maybe add openid support and let users connect existing accouts to one openid?
We decided to go for a secure system, if at all. OpenID was discussed and quickly dropped at the last WineConf.
Google for "openid security issues" to see what I'm talking about.
I read a bit about OpenID security issues and from that it seems that OpenID is more secure than what we currently use if the Relying Party ( the website that wants to authenticate a user, i.e. winehq.org ) and the OpenID Provider get their implementation right (i.e. I have not found any security bug in the spec itself). The downside is that there is one more party that can be compromised, the upside is that this party is usually the hardest to compromise and that it ensures that some attacks don't work on the other two parties (that previously worked).
I may be wrong, so please correct me.
Does anyone know of a possible attack against an OpenID enabled winehq.org that would not in principle be possible against our current login system? ( i.e. CSRF or XSS against an OpenID Provider is a possibility, but it is also a possibility against winehq.org with our current login system, so it doesn't count; anything that needs sniffing of the communication from/to the user or OpenID provider doesn't count as our current login system is not protected against that, same with Phishing )?
Jan
On Monday 06 April 2009 17:04:02 Jan Zerebecki wrote:
I read a bit about OpenID security issues and from that it seems that OpenID is more secure than what we currently use if the Relying Party ( the website that wants to authenticate a user, i.e. winehq.org ) and the OpenID Provider get their implementation right (i.e. I have not found any security bug in the spec itself). The downside is that there is one more party that can be compromised, the upside is that this party is usually the hardest to compromise and that it ensures that some attacks don't work on the other two parties (that previously worked).
I may be wrong, so please correct me.
I see the attack scenario where someone stole an openid user's identity and is now using that to do bad things on the wine sites.
Also, the flaw I see in the OpenID spec is that they're not requiring the use of SSL, but you decided to not allow the MITM attack against the DH exchange as an argument. So all I can say is that while all the points I could raise are invalidated by your exclusion, I don't like the OpenID design and don't want to support it. There's good password safe programs available for people who don't want to remember their logins for multiple sites. That should be good enough.
Kai
2009/3/22 Austin English austinenglish@gmail.com:
On Sun, Mar 22, 2009 at 9:18 AM, David Gerard dgerard@gmail.com wrote:
What's standing in the way of unified login for the various Wine sites (appdb, wiki, Bugzilla)?
Someone to do the work to combine the logins and implement the infrastructure.
Cool, so the only problem is to do the work then :-)
(Apologies to all for the somewhat frustrated tone of my message.)
Is there anyone running any of these sites who doesn't consider single unified login a good idea?
AppDB/Bugzilla/Forums are all hosted by WineHQ (sponsored by Codeweavers). The Wiki is run/sponsored by Lattica (Dimi Paun).
Cross-site authentication could be more than a little interesting ...
- d.
-
Austin English -
David Gerard -
Igor Tarasov -
Jan Zerebecki -
Kai Blin