[Opensim-dev] OpenID

Ralf Haifisch ralf at ralf-haifisch.biz
Tue Mar 3 07:40:03 UTC 2009 

Well, 

beiing pished - you are talking about "getting the users token" ?

pishing to me is getting information the owner would not grant you, if you
did not request them by ways he assusmes to be something/someone else
requesting this.

Just the "token" to log me in.. its not password pishing or so..

... ah..  I think I got you..

- someone want to log into  "travel.com"
- we logs on to "trovel.com"
- books a journey
- opens the claim (in 2.x of opened) on his creditcard data

That is the pishing thing you think about ?

I guess its not worse than what happen now, the people would just use their
creditcard on a wrong website.


It´s a little bit related to your other message "how people interact", but
opened is not guilty here - it adds just one more warning (people ignore).


Cheers,
Ralf

------------------------------

Message: 4
Date: Mon, 02 Mar 2009 15:57:48 -0800
From: Diva Canto <diva at metaverseink.com>
Subject: Re: [Opensim-dev] OpenID
To: opensim-dev at lists.berlios.de
Message-ID: <49AC727C.2020409 at metaverseink.com>
Content-Type: text/plain; charset="iso-8859-1"

There is nothing wrong with the mechanism and its roots. In fact, when I 
first read the spec I liked it a lot. But I hadn't used this until 2 
hours ago.

There is, potentially, a huge hole in the resulting system because it 
ignores how people interact with their computers. Did anyone make a 
serious study about how the normal people react to being phished on 
using OpenID? That sounds like a great project for one of my colleagues 
here at UCI...


Ralf Haifisch wrote:
> Crista,
>
> this is a upcomming standard and common sense. If I do an audit based in
ISO
> 27.001, this is a perfect thing and would get some applause if
implementet,
> generally speaking.
>
>
> It is based on the established ideas from LPAD+Kerberos combining systems,
> that use this triangle of user/workstation - auth-provider and
> auth-subscriber in principle , as well.
>
>
> Microsoft did try to run this with .Net Passport (uhm... maybe they even
had
> a name before that) and had a set of criteria you have to fulfill before
> joining the system.  People did not like this "closed source big brother -
> alike" system.  
>
>
> openID and SAML are major topics for those devs, that are into security
> systems right now. Claim based systems and rights management are often
based
> on this.
>
>
> It is all about a "secure stack".    
>
> - hopefully, you did write your operating system - why could it be trusted
> otherwise ?
> - what about the keyboard ?  easy going to implement what I need
> - is there a "nuble" on your monitors video cord ? is this for antiference
> reasons... hmmm..
> - you print out strategic papers or sources on the big laserpinter in the
> floor (sure, only you in the building)..  I did fetch interesting stuff
> unencrypted from these devices
> - you had this all new USB harddisc for backups that came with some new
> drivers ?  
>
> Unless the whole stack from hardware to service is secure and trusts are
> build and verified against each other.... what you see is the best that is
> realistic achievable:
>
>
> --> warn the user, if something is maybe wrong.
>
>
> Its you, chooses the opened provider (I guess verisign is somewhat secure
> for me)
>
> It?s you who uses a service - and would have done even without opened.
>
> Its you who gets a warning about possible fraud, you would not have been
> getting without opened.
>
>
> Instead of opened the usual user has 2000 passwords and requests new
> passwords via clear text email over the web, regularly.
>
>
> So - in total a regular user gets more security.  That's the basic idea.
>
>
> In some years we will use at least 2-factor authentification.  E.g. the
> Netherlands did start giving out passports with a digital ID
(certificate).
> Cheap reader will spread.  
>
>
> There is a common sense that, "exo-technical means" will better serve
> security needs in future. The more business driven standards like ISO
27.001
> and 38.500 repect this. Technical means will fulfill a task assingned
> exo-technical.
>
>
> Let say - this is a new and upcoming system.   
> Its not worse than what we have.  
> It has many option got get better on a standard architecture.
>
>
> It?s a little bit like the 3D web story...
>
>
> Cheers,
> Ralf
>
>

More information about the Opensim-dev mailing list