[OpenID] OpenId downtime
Martin Atkins
mart at degeneration.co.uk
Sat Dec 8 15:00:11 UTC 2007
Martin Fick wrote:
> ...
>> I think the general answer is that you should host
>> your identity URL and your provider(s) at places
>> that you trust will provide high service
>> availability.
>
> It's one thing to trust an external service
> with one email account and another service
> with your weblog... With openid you have
> to trust one service with ACCESS to all of
> your other services!!!
>
> Not only must they keep access available
> enough for you, but you are in effect
> allowing THEM access to all your openid
> services! Everyone who keeps suggesting
> this as a solution seems to be completely
> ignoring this VITAL difference!
>
When I go to log in at most sites, they allow me to "recover" my
password by sending some sort of message to my email account.
Therefore my email provider effectively has access to all of my accounts
as well. "Forgot my password" is effectively a cross-site authentication
system with a deliberately awkward UI. My email provider is in the same
position as my OpenID provider.
More information about the general
mailing list