No subject


Sat Apr 19 01:31:08 UTC 2014 

this out there for real, with a 2.0 tag, without first understanding
if/how people detect phishing in this particular context. There have
been enough studies in the past about how normal people handle security
(or not) in practice, and the fallacies of designing systems assuming
that people choose security over convenience.<br>
<br>
But hey -- I have no interest in the success or failure of the
corporations that are pushing for this.<br>
I'll just stay here on my academic Ivory tower watching the phishing
artists unwrap this wonderful present that is falling on their laps...<br>
<a class="moz-txt-link-freetext" href="http://marcoslot.net/apps/openid/">http://marcoslot.net/apps/openid/</a><br>
<br>
<br>
And that's my last email about OpenID; case closed afaic, I'm too old
and too cranky for these Web 2.0 experiments. I'd rather continue
trying to solve the problem for real :-) <br>
<br>
Crista<br>
<br>
Aldon Hynes wrote:
<blockquote
 cite="mid:NFBBLCBGBMCDKOAPLALJOEOLJJAB.Aldon.Hynes at Orient-Lodge.com"
 type="cite">
  <pre wrap="">It is worth noting that Microsoft is now adopting OpenID as well.  A while
ago it went into testing,  The idea is that you can use Microsoft Live as
your OpenID provider.  I've tested it and it works fairly well.  In fact, I
think it works better than the Google implementation.  However, I still
prefer XRI based OpenID

=aldon.hynes
@ahynes1

-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:opensim-dev-bounces at lists.berlios.de">opensim-dev-bounces at lists.berlios.de</a>
[<a class="moz-txt-link-freetext" href="mailto:opensim-dev-bounces at lists.berlios.de">mailto:opensim-dev-bounces at lists.berlios.de</a>]On Behalf Of Ralf Haifisch
Sent: Monday, March 02, 2009 6:39 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:opensim-dev at lists.berlios.de">opensim-dev at lists.berlios.de</a>
Subject: Re: [Opensim-dev] OpenID


Crista,

this is a upcomming standard and common sense. If I do an audit based in ISO
27.001, this is a perfect thing and would get some applause if implementet,
generally speaking.


It is based on the established ideas from LPAD+Kerberos combining systems,
that use this triangle of user/workstation - auth-provider and
auth-subscriber in principle , as well.


Microsoft did try to run this with .Net Passport (uhm... maybe they even had
a name before that) and had a set of criteria you have to fulfill before
joining the system.  People did not like this "closed source big brother -
alike" system.


openID and SAML are major topics for those devs, that are into security
systems right now. Claim based systems and rights management are often based
on this.


It is all about a "secure stack".

- hopefully, you did write your operating system - why could it be trusted
otherwise ?
- what about the keyboard ?  easy going to implement what I need
- is there a "nuble" on your monitors video cord ? is this for antiference
reasons... hmmm..
- you print out strategic papers or sources on the big laserpinter in the
floor (sure, only you in the building)..  I did fetch interesting stuff
unencrypted from these devices
- you had this all new USB harddisc for backups that came with some new
drivers ?

Unless the whole stack from hardware to service is secure and trusts are
build and verified against each other.... what you see is the best that is
realistic achievable:


--> warn the user, if something is maybe wrong.


Its you, chooses the opened provider (I guess verisign is somewhat secure
for me)

It´s you who uses a service - and would have done even without opened.

Its you who gets a warning about possible fraud, you would not have been
getting without opened.


Instead of opened the usual user has 2000 passwords and requests new
passwords via clear text email over the web, regularly.


So - in total a regular user gets more security.  That’s the basic idea.


In some years we will use at least 2-factor authentification.  E.g. the
Netherlands did start giving out passports with a digital ID (certificate).
Cheap reader will spread.


There is a common sense that, "exo-technical means" will better serve
security needs in future. The more business driven standards like ISO 27.001
and 38.500 repect this. Technical means will fulfill a task assingned
exo-technical.


Let say - this is a new and upcoming system.
Its not worse than what we have.
It has many option got get better on a standard architecture.


It´s a little bit like the 3D web story...


Cheers,
Ralf


------------------------------

Message: 6
Date: Mon, 02 Mar 2009 14:44:46 -0800
From: Diva Canto <a class="moz-txt-link-rfc2396E" href="mailto:diva at metaverseink.com"><diva at metaverseink.com></a>
Subject: Re: [Opensim-dev] OpenID
To: <a class="moz-txt-link-abbreviated" href="mailto:opensim-dev at lists.berlios.de">opensim-dev at lists.berlios.de</a>
Message-ID: <a class="moz-txt-link-rfc2396E" href="mailto:49AC615E.5010904 at metaverseink.com"><49AC615E.5010904 at metaverseink.com></a>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

OMG!
Sorry for insisting on this, but I tend to get obsessive when I'm trying
to figure things out :-)
I just tried login to some random Brazilian site using my OpenID-ed
Yahoo account. Indeed, it... works... i guess.
I seem to have been redirected to a yahoo openid login page, which,
after I entered my password, proceeded to warn me that "Warning: this
web site has not confirmed its identity with Yahoo! and might be
fraudulent....".

I have no idea/guarantees that this site that the Brazilian site
redirected me that looks like Yahoo, where I entered my password, and
that is warning me of danger, is, indeed, a legitimate Yahoo site. It
might not be. And I have no idea what that potentially fraudulent
Brazilian site might do with the info it gets from Yahoo (assuming this
is Yahoo and not a phishing scam).

Sorry, this defies all common sense...

I can see the *mechanism* of OpenID working among a group of
organizations that trust each other by exo-technical means (read
lawyers). But this mechanism in decentralized, world-wide open systems?!
That's insane!

Crista

Diva Canto wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">The more I read about OpenID the more concerns I have that it's unsafe
-- not just for OpenSim but in general. It seems that OpenID is a
wonderful opportunity for phishing sites to get access to people's
passwords directly.

The flaw is that it assumes that the initial site is trustworthy. That's
a huge assumption! Try to use your OSGrid OpenID-ed account in a future
version of DNCH... it will direct you to a page that will look like
OSGrid's login page, and then it will steal your password as you type it.

Is this serious?! Maybe I'm missing something fundamental...

<puzzled>
Crista

_______________________________________________
Opensim-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opensim-dev at lists.berlios.de">Opensim-dev at lists.berlios.de</a>
<a class="moz-txt-link-freetext" href="https://lists.berlios.de/mailman/listinfo/opensim-dev">https://lists.berlios.de/mailman/listinfo/opensim-dev</a>


    </pre>
  </blockquote>
  <pre wrap=""><!---->



_______________________________________________
Opensim-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opensim-dev at lists.berlios.de">Opensim-dev at lists.berlios.de</a>
<a class="moz-txt-link-freetext" href="https://lists.berlios.de/mailman/listinfo/opensim-dev">https://lists.berlios.de/mailman/listinfo/opensim-dev</a>

_______________________________________________
Opensim-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opensim-dev at lists.berlios.de">Opensim-dev at lists.berlios.de</a>
<a class="moz-txt-link-freetext" href="https://lists.berlios.de/mailman/listinfo/opensim-dev">https://lists.berlios.de/mailman/listinfo/opensim-dev</a>

  </pre>
</blockquote>
<br>
</body>
</html>

--------------000200020906030200060404--

More information about the Opensim-dev mailing list