[Opensim-dev] OpenID

Ralf Haifisch ralf at ralf-haifisch.biz
Mon Mar 2 23:38:42 UTC 2009 

Crista,

this is a upcomming standard and common sense. If I do an audit based in ISO
27.001, this is a perfect thing and would get some applause if implementet,
generally speaking.


It is based on the established ideas from LPAD+Kerberos combining systems,
that use this triangle of user/workstation - auth-provider and
auth-subscriber in principle , as well.


Microsoft did try to run this with .Net Passport (uhm... maybe they even had
a name before that) and had a set of criteria you have to fulfill before
joining the system.  People did not like this "closed source big brother -
alike" system.  


openID and SAML are major topics for those devs, that are into security
systems right now. Claim based systems and rights management are often based
on this.


It is all about a "secure stack".    

- hopefully, you did write your operating system - why could it be trusted
otherwise ?
- what about the keyboard ?  easy going to implement what I need
- is there a "nuble" on your monitors video cord ? is this for antiference
reasons... hmmm..
- you print out strategic papers or sources on the big laserpinter in the
floor (sure, only you in the building)..  I did fetch interesting stuff
unencrypted from these devices
- you had this all new USB harddisc for backups that came with some new
drivers ?  

Unless the whole stack from hardware to service is secure and trusts are
build and verified against each other.... what you see is the best that is
realistic achievable:


--> warn the user, if something is maybe wrong.


Its you, chooses the opened provider (I guess verisign is somewhat secure
for me)

It´s you who uses a service - and would have done even without opened.

Its you who gets a warning about possible fraud, you would not have been
getting without opened.


Instead of opened the usual user has 2000 passwords and requests new
passwords via clear text email over the web, regularly.


So - in total a regular user gets more security.  That’s the basic idea.


In some years we will use at least 2-factor authentification.  E.g. the
Netherlands did start giving out passports with a digital ID (certificate).
Cheap reader will spread.  


There is a common sense that, "exo-technical means" will better serve
security needs in future. The more business driven standards like ISO 27.001
and 38.500 repect this. Technical means will fulfill a task assingned
exo-technical.


Let say - this is a new and upcoming system.   
Its not worse than what we have.  
It has many option got get better on a standard architecture.


It´s a little bit like the 3D web story...


Cheers,
Ralf


------------------------------

Message: 6
Date: Mon, 02 Mar 2009 14:44:46 -0800
From: Diva Canto <diva at metaverseink.com>
Subject: Re: [Opensim-dev] OpenID
To: opensim-dev at lists.berlios.de
Message-ID: <49AC615E.5010904 at metaverseink.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

OMG!
Sorry for insisting on this, but I tend to get obsessive when I'm trying 
to figure things out :-)
I just tried login to some random Brazilian site using my OpenID-ed 
Yahoo account. Indeed, it... works... i guess.
I seem to have been redirected to a yahoo openid login page, which, 
after I entered my password, proceeded to warn me that "Warning: this 
web site has not confirmed its identity with Yahoo! and might be 
fraudulent....".

I have no idea/guarantees that this site that the Brazilian site 
redirected me that looks like Yahoo, where I entered my password, and 
that is warning me of danger, is, indeed, a legitimate Yahoo site. It 
might not be. And I have no idea what that potentially fraudulent 
Brazilian site might do with the info it gets from Yahoo (assuming this 
is Yahoo and not a phishing scam).

Sorry, this defies all common sense...

I can see the *mechanism* of OpenID working among a group of 
organizations that trust each other by exo-technical means (read 
lawyers). But this mechanism in decentralized, world-wide open systems?! 
That's insane!

Crista

Diva Canto wrote:
> The more I read about OpenID the more concerns I have that it's unsafe 
> -- not just for OpenSim but in general. It seems that OpenID is a 
> wonderful opportunity for phishing sites to get access to people's 
> passwords directly.
>
> The flaw is that it assumes that the initial site is trustworthy. That's 
> a huge assumption! Try to use your OSGrid OpenID-ed account in a future 
> version of DNCH... it will direct you to a page that will look like 
> OSGrid's login page, and then it will steal your password as you type it.
>
> Is this serious?! Maybe I'm missing something fundamental...
>
> <puzzled>
> Crista
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>

More information about the Opensim-dev mailing list