[OpenID] OpenID Registration Scenario
John Wang
jwanggroups at gmail.com
Thu Jul 12 04:12:57 UTC 2007
On 7/11/07, Peter Williams <pwilliams at rapattoni.com> wrote:
>
> Ill advise the openid community Not to set its goals so low as to equate
> openid as that which one should associate with those sites that today do
> email auth (as proof of ID control).
If an OP is using username/password, is there any reason to consider it more
secure than email auth?
A decade ago , netscape+verisign issued over 1million consumers with ID
> credentials (ssl client certs also capable of signing netscape email). Only
> proof of control over an email account was required.
>
> This did Not engender adoption of client certs, contrary perhaps to
> intuition.
I doubt those freebie client certs had much to do with the demise of client
certs. However, I think lack of portability and security were killers.
The average user doesn't think about too much about security, especially
back in the day, but they want portability. The fact you couldn't
transparently log in from your home machine, a work machine and a public
library machine with a client cert was a major usability problem.
Also, the fact that local password protected key stores could be hacked via
a brute force attack actually made them less secure than username/password
over SSL/TLS IMO since the private key store is exposed to trojans. There
used to be a downloadable tool to crack the Netscape private key store which
was fun to demo.
--
John Wang
http://www.dev411.com/blog/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070711/31935d96/attachment-0002.htm>
More information about the general
mailing list