[security] Username / password etc. is out of scope for OpenID
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Oct 26 01:20:26 UTC 2006
Terrific Reply, Drummond!
This brings me back to the basics again...! I have the feeling
sometimes, that the "OpenID Authentication", as you call it, develops
without seeing the "OpenID Framework" or in other words:
Lets define a protocol and see afterwards, which problem it's going to
solve....
Instead of:
THIS is the problem and THIS is the solution and THIS is how it's done...
Why do I see it like this? As we all remember, this list and previous
threads on general@ started because of security issues and concerns
(specially on the implementation level). Now this issues were not
addressed correctly, not by the draft nor by the involved participants.
Why? Because they first define a geeky protocol and perhaps never
thought the other way around...So perhaps we don't need to try to define
better security, but start with the basics of What, Why, Who, Where,
When and How....After we know the problems we can provide the solutions
and the way this is going to be done. In that context, all security
concerns will be addressed much better, because we see the problem we
are going to solve....
Drummond Reed wrote:
>
> Eddy,
>
>
>
> There’s OpenID, and then there’s OpenID Authentication. I think you’re
> talking about the larger OpenID framework, while David’s talking about
> OpenID Authentication as just one service in the OpenID framework. In
> that context his description is accurate: OpenID Authentication simply
> proves you (the operator of an HTTP(S) session) control a URI/XRI. I
> like this very much to the widely-used closed-loop authentication of
> an email address
> (http://en.wikipedia.org/wiki/Closed-loop_Authentication), except it
> is applied in real-time to a URL or XRI. (And, if the outcome of all
> these conversations are productive, a good deal more secure.)
>
>
>
> However OpenID the framework can go well beyond just this one service,
> and thus the larger topic of OpenID security extends beyond just this
> one service (though it certainly includes it, as many other services
> in the framework will rely on OpenID AuthN).
>
>
>
> =Drummond
>
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/3103679c/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/3103679c/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061026/3103679c/attachment-0002.bin>
More information about the security
mailing list