[Opensim-dev] OpenID
Ralf Haifisch
ralf at ralf-haifisch.biz
Tue Mar 3 07:40:03 UTC 2009
Well,
beiing pished - you are talking about "getting the users token" ?
pishing to me is getting information the owner would not grant you, if you
did not request them by ways he assusmes to be something/someone else
requesting this.
Just the "token" to log me in.. its not password pishing or so..
... ah.. I think I got you..
- someone want to log into "travel.com"
- we logs on to "trovel.com"
- books a journey
- opens the claim (in 2.x of opened) on his creditcard data
That is the pishing thing you think about ?
I guess its not worse than what happen now, the people would just use their
creditcard on a wrong website.
It´s a little bit related to your other message "how people interact", but
opened is not guilty here - it adds just one more warning (people ignore).
Cheers,
Ralf
------------------------------
Message: 4
Date: Mon, 02 Mar 2009 15:57:48 -0800
From: Diva Canto <diva at metaverseink.com>
Subject: Re: [Opensim-dev] OpenID
To: opensim-dev at lists.berlios.de
Message-ID: <49AC727C.2020409 at metaverseink.com>
Content-Type: text/plain; charset="iso-8859-1"
There is nothing wrong with the mechanism and its roots. In fact, when I
first read the spec I liked it a lot. But I hadn't used this until 2
hours ago.
There is, potentially, a huge hole in the resulting system because it
ignores how people interact with their computers. Did anyone make a
serious study about how the normal people react to being phished on
using OpenID? That sounds like a great project for one of my colleagues
here at UCI...
Ralf Haifisch wrote:
> Crista,
>
> this is a upcomming standard and common sense. If I do an audit based in
ISO
> 27.001, this is a perfect thing and would get some applause if
implementet,
> generally speaking.
>
>
> It is based on the established ideas from LPAD+Kerberos combining systems,
> that use this triangle of user/workstation - auth-provider and
> auth-subscriber in principle , as well.
>
>
> Microsoft did try to run this with .Net Passport (uhm... maybe they even
had
> a name before that) and had a set of criteria you have to fulfill before
> joining the system. People did not like this "closed source big brother -
> alike" system.
>
>
> openID and SAML are major topics for those devs, that are into security
> systems right now. Claim based systems and rights management are often
based
> on this.
>
>
> It is all about a "secure stack".
>
> - hopefully, you did write your operating system - why could it be trusted
> otherwise ?
> - what about the keyboard ? easy going to implement what I need
> - is there a "nuble" on your monitors video cord ? is this for antiference
> reasons... hmmm..
> - you print out strategic papers or sources on the big laserpinter in the
> floor (sure, only you in the building).. I did fetch interesting stuff
> unencrypted from these devices
> - you had this all new USB harddisc for backups that came with some new
> drivers ?
>
> Unless the whole stack from hardware to service is secure and trusts are
> build and verified against each other.... what you see is the best that is
> realistic achievable:
>
>
> --> warn the user, if something is maybe wrong.
>
>
> Its you, chooses the opened provider (I guess verisign is somewhat secure
> for me)
>
> It?s you who uses a service - and would have done even without opened.
>
> Its you who gets a warning about possible fraud, you would not have been
> getting without opened.
>
>
> Instead of opened the usual user has 2000 passwords and requests new
> passwords via clear text email over the web, regularly.
>
>
> So - in total a regular user gets more security. That's the basic idea.
>
>
> In some years we will use at least 2-factor authentification. E.g. the
> Netherlands did start giving out passports with a digital ID
(certificate).
> Cheap reader will spread.
>
>
> There is a common sense that, "exo-technical means" will better serve
> security needs in future. The more business driven standards like ISO
27.001
> and 38.500 repect this. Technical means will fulfill a task assingned
> exo-technical.
>
>
> Let say - this is a new and upcoming system.
> Its not worse than what we have.
> It has many option got get better on a standard architecture.
>
>
> It?s a little bit like the 3D web story...
>
>
> Cheers,
> Ralf
>
>
More information about the Opensim-dev
mailing list