[security] Who bears the risk..
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Oct 27 12:21:11 UTC 2006
Hi All,
I'm glad to announce, that I have installed a new OpenID Server for
anybody to use. This is a supper-trooper and absolutely cool OpenID
server, since it doesn't require you to sign up, register or
anything...Total privacy! You can choose any user name and change the
name every time if you wish, all you have to do, is to provide at
LiveJournal or other blog/forum, a URI like
http://123.no-password.com...everyhting works, no questions asked! You
can even choose a user name somebody else used previously. This is
specially interesting, since viagra.no-password.com will become reusable...
I simply downloaded one of the libraries from the OpenID web site and
removed any authentication checking (patch available), so that when you
have to authenticate with no-password.com the web site simply post's you
back to LiveJournal with is_valid="true". Also I removed the association
for shared secrets with the RP, since there is nothing here to protect
and completely optional
<http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>
according to the specs. This makes no-password.com the fastest OpenID
server, since we don't use SSL and have no need to create the
assoc_handle. I'm sure we gained about 10 milliseconds on this! BTW, did
I tell you, that no-password.com is completely private and anonymous?
Any log files created by the server are directed to /dev/null so that
any traces of your visit at no-password.com are destroyed immediately!
This is much better that the PiP offered from Verisign, since they
probably keep log files and make back ups of their databases ;-) and
because according to the specs /the IdP establishes whether the End User
is authorized to perform OpenID Authentication and wishes to do so and
the manner in which the End User authenticates to their IdP is beyond
the scope of the OpenID Authentication 2.0 Specifications/, all users
are authorized at no-password.com without questions asked. Cool, isn't it?
I'm sure you now understand how useful the OpenID framework is and you
decided to add OpenID login to your forum immediately. There are no
requirements on your part, but you should....well, really you should
<http://openid.net/specs/openid-authentication-2_0-10.html#initiation>
make a small form at your forum, so the user can enter the
no-password.com URI. It's also recommended that you place the OpenID
logo <http://openid.net/login-bg.gif> at the beginning of the form
field. Well, perhaps you just remove any authentication at your
forum...it's useless anyway...Count on no-password.com to always
authenticate the users of your forum positively!
However, I'm not sure, if I'll keep no-password.com, since I just bought
it and can return the domain within 10 days without getting charged.
Anyway, perhaps I'll get another one (no-questions-asked.com is free) in
ten days....I'll keep you updated on this!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/3a5f3ae6/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/3a5f3ae6/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/3a5f3ae6/attachment-0002.bin>
More information about the security
mailing list