[OpenID] OpenID Uri versus Email addresses
SitG Admin
sysadmin at shadowsinthegarden.com
Thu Aug 7 17:28:40 UTC 2008
>The downside to this is the route to your OpenID URI is potentially
>controlled by someone else but I think everyone knows that aspect is
>true of all e-mails anyway.
True that if an attacker gains access to your E-mail account(s), they
potentially have passwords to your other sites as well; or you could
have not (ever) sent your OpenID password to an E-mail account.
The tricky part will be that E-mail sites would effectively be
handing users the key in a situation where users can be expected to
hand it out without thinking, and then the malicious party has access
to their E-mail; from OpenID to E-mail to everything else would be
very bad publicity for OpenID.
Creating alternate passwords for OpenID services would be the obvious
way of preventing this, but how many users would adopt it then?
>failure. This would also allow example.com to implement their own
>logic for unforeseeable transformations such as:
>
>if ($email == 'vp at example.com') { $uri = 'http://bob.example.com/'; }
Or other unexpected transformations such as
if ($email == 'rabbit at example.com') { $uri =
'http://rabbit.cyberpunkrock.com/'; }
-Shade
More information about the general
mailing list