[Opensim-dev] OpenID

Diva Canto diva at metaverseink.com
Wed Mar 4 00:43:00 UTC 2009 

Sean Dague wrote:
> I guess the question is whether or not this is better or worse than
> requiring new user account registration for systems, which inevitably is
> people typing in the same passwords as they've used elsewhere.
>   
I can't say I have the answer to that question, although I have a hunch 
about it. All I can say is that it is extremely irresponsible on the 
part of these corporations to deploy this scheme out there without 
finding the answer to that question, given all the literature pointing 
to how oblivious people are wrt security in practice.

> Those are general statements on the tech.  How it fits in the opensim
> space, I'll leave to others, because it may not be appropriate.  But
> make sure that if you are going to hold up openid to such a high
> standard of social engineering, that you hold other methods to that as we=
> ll.
>   
Let's put it this way: if I had the low standards and ethics that the 
people who wrote the OpenID spec have I would say that the Hypergrid is 
1.0 and that the security problems "can be prevented in multiple ways"  
and "are outside the scope of this document." Then I would charge 
$5000/day to do consulting work with
the people who want to use the Hypergrid for added convenience, without 
ever mentioning the security problems that it currently has. [That seems 
to be the game with OpenID, as far as all I can tell; to the credit of 
OAuth, in comparison, they, at least, acknowledge the phishing problem 
explicitly]

I really don't know if we can secure the Hypergrid the right way (well, 
I think we can, but it will take some work including client-side :-), 
but I do know that anything that is based on random components asking 
people for their passwords is out of the question, at least for any 
security schemes I will be involved with.

Having said that, it's clear to me that, should we use the OpenID 
protocol as a basis for Hypergrid identity, it doesn't necessarily need 
to be used in the irresponsible manner it is being used on the Web. As I 
said, the mechanism is fine. And there is something of value to having 
OpenID and OAuth together. My main technical issue is the existence of 
multiple calls and the complexity of the solution in terms of the code, 
because of model mismatch.

I haven't finished my study on this yet. I have been distracted 
(distraught?) by what I'm seeing of OpenID out there on Webland...

Crista

More information about the Opensim-dev mailing list