[security] Who bears the risk..
Alaric Dailey
alaricdailey at hotmail.com
Fri Oct 27 17:01:51 UTC 2006
I seem to remember saying that this would happen if authentication was
outside the the scope of the spec.
_____
From: security-bounces at openid.net [mailto:security-bounces at openid.net] On
Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Friday, October 27, 2006 7:21 AM
Cc: security at openid.net
Subject: Re: [security] Who bears the risk..
Hi All,
I'm glad to announce, that I have installed a new OpenID Server for anybody
to use. This is a supper-trooper and absolutely cool OpenID server, since it
doesn't require you to sign up, register or anything...Total privacy! You
can choose any user name and change the name every time if you wish, all you
have to do, is to provide at LiveJournal or other blog/forum, a URI like
http://123.no-password.com...everyhting works, no questions asked! You can
even choose a user name somebody else used previously. This is specially
interesting, since viagra.no-password.com will become reusable...
I simply downloaded one of the libraries from the OpenID web site and
removed any authentication checking (patch available), so that when you have
to authenticate with no-password.com the web site simply post's you back to
LiveJournal with is_valid="true". Also I removed the association for shared
secrets with the RP, since there is nothing here to protect and completely
optional <http://openid.net/specs/openid-authentication-2_0-10.html#anchor3>
according to the specs. This makes no-password.com the fastest OpenID
server, since we don't use SSL and have no need to create the assoc_handle.
I'm sure we gained about 10 milliseconds on this! BTW, did I tell you, that
no-password.com is completely private and anonymous? Any log files created
by the server are directed to /dev/null so that any traces of your visit at
no-password.com are destroyed immediately! This is much better that the PiP
offered from Verisign, since they probably keep log files and make back ups
of their databases ;-) and because according to the specs the IdP
establishes whether the End User is authorized to perform OpenID
Authentication and wishes to do so and the manner in which the End User
authenticates to their IdP is beyond the scope of the OpenID Authentication
2.0 Specifications, all users are authorized at no-password.com without
questions asked. Cool, isn't it?
I'm sure you now understand how useful the OpenID framework is and you
decided to add OpenID login to your forum immediately. There are no
requirements on your part, but you should....well, really you should
<http://openid.net/specs/openid-authentication-2_0-10.html#initiation> make
a small form at your forum, so the user can enter the no-password.com URI.
It's also recommended that you place the OpenID logo
<http://openid.net/login-bg.gif> at the beginning of the form field. Well,
perhaps you just remove any authentication at your forum...it's useless
anyway...Count on no-password.com to always authenticate the users of your
forum positively!
However, I'm not sure, if I'll keep no-password.com, since I just bought it
and can return the domain within 10 days without getting charged. Anyway,
perhaps I'll get another one (no-questions-asked.com is free) in ten
days....I'll keep you updated on this!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061027/43bac063/attachment-0002.htm>
More information about the security
mailing list