[security] Who bears the risk..

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Nov 1 23:35:22 UTC 2006 

David,

Yes, I know...and completely useless! Waste of time...

However I'm sure, once there will be (a few) reputation systems based on
OpenID, the very once wanting it to be really free will have the most to
loose, since the only way to get there is via lock-in of the
provider/operator....OpenID is useless in it's current form. Once it
will be useful it will be ONLY via the provided systems, which means $$$.

(I'm not meaning additional services on top of a free system, but in
order to use a useful system the freedom is lost...The future will tell!)

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390

Recordon, David wrote:
> Eddy, see slide 6, people have been able to do something like this
> forever.  This entire deck may be useful for you to look at to better
> understand OpenID.
> http://openid.net/pres/2005_InternetIdentityWorkshop_Berkeley.pdf
>  
> --David
>
> ________________________________
>
> From: security-bounces at openid.net [mailto:security-bounces at openid.net]
> On Behalf Of Eddy Nigg (StartCom Ltd.)
> Sent: Friday, October 27, 2006 5:21 AM
> Cc: security at openid.net
> Subject: Re: [security] Who bears the risk..
>
>
> Hi All,
>
> I'm glad to announce, that I have installed a new OpenID Server for
> anybody to use. This is a supper-trooper and absolutely cool OpenID
> server, since it doesn't require you to sign up, register or
> anything...Total privacy! You can choose any user name and change the
> name every time if you wish, all you have to do, is to provide at
> LiveJournal or other blog/forum, a URI like
> http://123.no-password.com...everyhting works, no questions asked! You
> can even choose a user name somebody else used previously. This is
> specially interesting, since viagra.no-password.com will become
> reusable...
>
> I simply downloaded one of the libraries from the OpenID web site and
> removed any authentication checking (patch available), so that when you
> have to authenticate with no-password.com the web site simply post's you
> back to LiveJournal with is_valid="true". Also I removed the association
> for shared secrets with the RP, since there is nothing here to protect
> and completely optional
> <http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>
> according to the specs. This makes no-password.com the fastest OpenID
> server, since we don't use SSL and have no need to create the
> assoc_handle. I'm sure we gained about 10 milliseconds on this! BTW, did
> I tell you, that no-password.com is completely private and anonymous?
> Any log files created by the server are directed to /dev/null so that
> any traces of your visit at no-password.com are destroyed immediately!
> This is much better that the PiP offered from Verisign, since they
> probably keep log files and make back ups of their databases ;-) and
> because according to the specs the IdP establishes whether the End User
> is authorized to perform OpenID Authentication and wishes to do so and
> the manner in which the End User authenticates to their IdP is beyond
> the scope of the OpenID Authentication 2.0 Specifications, all users are
> authorized at no-password.com without questions asked. Cool, isn't it?
>
> I'm sure you now understand how useful the OpenID framework is and you
> decided to add OpenID login to your forum immediately. There are no
> requirements on your part, but you should....well, really you  should
> <http://openid.net/specs/openid-authentication-2_0-10.html#initiation>
> make a small form at your forum, so the user can enter the
> no-password.com URI. It's also recommended that you place the OpenID
> logo <http://openid.net/login-bg.gif>  at the beginning of the form
> field. Well, perhaps you just remove any authentication at your
> forum...it's useless anyway...Count on no-password.com to always
> authenticate the users of your forum positively!
>
> However, I'm not sure, if I'll keep no-password.com, since I just bought
> it and can return the domain within 10 days without getting charged.
> Anyway, perhaps I'll get another one (no-questions-asked.com is free) in
> ten days....I'll keep you updated on this!
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061102/2f191f27/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061102/2f191f27/attachment-0002.vcf>

More information about the security mailing list