[Opensim-dev] OpenID

Ralf Haifisch ralf at ralf-haifisch.biz
Tue Mar 3 07:52:05 UTC 2009 

Na...

It will reduce the amount of passwords transmitted /typed in.

You only authenticate to the auth-provider (verisign e.g.).

So you have at least 1 step more security unless you give out more date.


But I totally agree, that people are weak factor.  That is where modern
standard talk

about this exo-technical ways to security , like awareness programs.


I don´t think a system in nower days can do much better.


That is we I wrote about this "trusted stack":

If hardware and software, as well as target application are "signed" (by a
digital certificate) and can identify each other - so we get an complete
certified path for the data:  that would be a trusted stack.

In that case you could have a whitelist , like we have Spam-Blacklists - and
you could get a "green light" to be displayed for the user.


openID (and alike systems) help by reducing password flow and introducing
claims, so only the needed data is submitted (e.g. not your age if buying
shoes) - but the green light must be given by the end of the chain (e.g. the
users browser).

It is a way to go.


Personaly I will not think, that all things things can ever reach the
target, unless people are aware of what they do.


To leave off all this IT-related thoughts:
It is a simple commercial rule, that a chance is related to a risk.
There are still people thinking of 25% on their money with no risk.
When did we introduce the money ??


:-)


Cheers,
Ralf


------------------------------

Message: 2
Date: Mon, 02 Mar 2009 15:29:56 -0800
From: Diva Canto <diva at metaverseink.com>
Subject: Re: [Opensim-dev] OpenID
To: opensim-dev at lists.berlios.de
Message-ID: <49AC6BF4.5090107 at metaverseink.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hurliman, John wrote:
> Do you make a habit of sending your credentials to websites without
checking the hostname and ignoring invalid SSL certificate warnings? That
will create a problem.
>   

Yes, precisely -- a huge problem. Most people don't check those things 
because they don't even know what they are. They are used to their 
computer popping up random warning windows with technical jargon -- for 
example when first running Second Life there are warnings about the 
application trying to do things that are unsafe, etc, and people will 
just click ok. It's 10x worse here than in email phishing scams, because 
people know that they are going to be asked for their password -- that's 
what it's supposed to do. So they will type it.

I'm just trying to understand the implications of these different 
identity and authorization mechanisms, and I confess I am puzzled with 
the suggestion that OpenID is a viable identity scheme beyond confined 
networks of trust.

Crista



------------------------------

More information about the Opensim-dev mailing list