Steven Edwards wrote:
Based upon my recollection there was a lot of contempt for OpenID at the last wineconf. Maybe the situation has changed recently...
For those new to the story, OpenID is incredibly insecure. See for example http://marcoslot.net/apps/openid/ http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts/ http://www.techafina.com/posts/openid-benefits-and-risks/ http://kuza55.blogspot.com/2007/01/insecure-openid-features.html Moreover, it's hard to use, as shown by usability testing at Yahoo: http://www.betanews.com/article/Yahoo-usability-tests-bode-ill-for-OpenID-ta...
In short: if you care about your data or your identity, stay far away from OpenID.
Now, if you absolutely must use OpenID, there are people working on making it more secure. For instance, Google is giving it a shot; see http://google-code-updates.blogspot.com/2009/05/google-openid-api-taking-nex... But I doubt the wine community wants to go there.
Better to implement a plain old shared password database between our four services. - Dan
Dan Kegel wrote:
Steven Edwards wrote:
Based upon my recollection there was a lot of contempt for OpenID at the last wineconf. Maybe the situation has changed recently...
For those new to the story, OpenID is incredibly insecure. See for example http://marcoslot.net/apps/openid/ http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts/ http://www.techafina.com/posts/openid-benefits-and-risks/ http://kuza55.blogspot.com/2007/01/insecure-openid-features.html Moreover, it's hard to use, as shown by usability testing at Yahoo: http://www.betanews.com/article/Yahoo-usability-tests-bode-ill-for-OpenID-ta...
In short: if you care about your data or your identity, stay far away from OpenID.
All our WineHQ data is public though -- is there still a risk if we restrict the allowed OpenID providers to the main WineHQ one?
Now, if you absolutely must use OpenID, there are people working on making it more secure. For instance, Google is giving it a shot; see http://google-code-updates.blogspot.com/2009/05/google-openid-api-taking-nex... But I doubt the wine community wants to go there.
Better to implement a plain old shared password database between our four services.
- Dan
This would be nice, but we don't have any premade tools for getting bugzilla and friends talking to one another that way. I'm not sure how difficult that is to do from scratch, though it might not be substantially harder than integrating the OpenID stuff.
Thanks, Scott Ritchie
On Tue, Jul 21, 2009 at 10:32 PM, Scott Ritchiescott@open-vote.org wrote:
For those new to the story, OpenID is incredibly insecure. See for example http://marcoslot.net/apps/openid/ http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts/ http://www.techafina.com/posts/openid-benefits-and-risks/ http://kuza55.blogspot.com/2007/01/insecure-openid-features.html
... is there still a risk if we restrict the allowed OpenID providers to the main WineHQ one?
Not as big a risk. However Yahoo's usability studies make me worry that it would be cumbersome. It's a big, fluffy, ill-designed web API, and that kind of thing usually makes me want to run away screaming. - Dan
-
Dan Kegel -
Scott Ritchie