[OpenID] Facebook Connect in 8 minutes, feat Luke Shephard
Peter Watkins
peterw at tux.org
Fri Dec 12 17:05:03 UTC 2008
On Fri, Dec 12, 2008 at 04:09:14PM +0000, Nate Klingenstein wrote:
> This is a very, very strong claim to be making. I wouldn't make it
> about any protocol at all, and particularly not one that has a lot of
> improvements to be made to its security design and trust infrastructure.
Let's not get bogged down on your point that OpenID may not be totally
secure for all meanings of the word secure -- my main point is that Facebook
Connect violates best practices in obvious ways that OpenID and other
technologies like SAML do not.
OpenID should not race to the gutter and undermine its security architecture
just to make deployment easier.
And the Foundation and we mere OpenID users should make the case that
embedding unvetted Javascript is bad practice -- that Facebook Connect
is a poor alternative to OpenID not simply because it's proprietary and
does not scale, but because its current design is fundamentally flawed.
-Peter
> On 12 Dec 2008, at 15:54, Peter Watkins wrote:
>
> > Allowing my site visitors to use OpenID poses *zero* risk from a
> > security
> > standpoint and a privacy standpoint.
>
More information about the general
mailing list