[OpenID] OpenID enabled Mailman

[SitG Admin]

>I am working on implementing openID server for the mailman setup I am running.

As someone who has wrestled with getting an OpenID provider operative 
for all users to log into a Relying Party at the same server, let me 
advise you:

Don't.

At least, not how you're looking to do it. I appreciate the desire to 
integrate support incrementally, but if you're crunching CPU cycles 
and taking up (minimal) network bandwidth for what could be a simple 
login procedure, it's a waste of resources (and *may* expose you to 
DNS exploits, though of course anyone who can control your inner 
networks to that extent probably has full access anyway).

I suggest looking into OpenID as a Relying Party, and requiring 
foreign providers as an *extra* factor of authentication; use them to 
expand your abilities so users can try biometrics/smartcards, but 
still ask for their local password before you'll let them in. That 
way, even if someone completely breaks OpenID (or compromises the 
foreign OP), they still won't be able to get in. This reduces the SSO 
functionality of OpenID somewhat, but is another way you could phase 
in OpenID support - if someone learned the local password but 
couldn't break biometric/smartcard protection, *they* wouldn't be 
able to get in either.

-Shade