[security] Who bears the risk..

Daniel E. Renfer Duck at Kronkltd.net
Sat Oct 28 09:04:58 UTC 2006 

While you're doing this, you might as well go ahead and integrate
Email into the mix. I'd love to have an email address where I don't
have to remember my password. That way I can log into my secure bank
with my insecure identifier and create a really strong password to
protect myself. I really doubt that anyone will think to hit the
"forgot your password" button on the bank's site to get a password
reminder sent so I should be totally safe.

stupidity > all the security measures in the world

On 10/27/06, Eddy Nigg (StartCom Ltd.) <eddy_nigg at startcom.org> wrote:
>
>  Hi All,
>
>  I'm glad to announce, that I have installed a new OpenID Server for anybody
> to use. This is a supper-trooper and absolutely cool OpenID server, since it
> doesn't require you to sign up, register or anything...Total privacy! You
> can choose any user name and change the name every time if you wish, all you
> have to do, is to provide at LiveJournal or other blog/forum, a URI like
> http://123.no-password.com...everyhting works, no questions
> asked! You can even choose a user name somebody else used previously. This
> is specially interesting, since viagra.no-password.com will become
> reusable...
>
>  I simply downloaded one of the libraries from the OpenID web site and
> removed any authentication checking (patch available), so that when you have
> to authenticate with no-password.com the web site simply post's you back to
> LiveJournal with is_valid="true". Also I removed the association for shared
> secrets with the RP, since there is nothing here to protect and completely
> optional according to the specs. This makes no-password.com the fastest
> OpenID server, since we don't use SSL and have no need to create the
> assoc_handle. I'm sure we gained about 10 milliseconds on this! BTW, did I
> tell you, that no-password.com is completely private and anonymous? Any log
> files created by the server are directed to /dev/null so that any traces of
> your visit at no-password.com are destroyed immediately! This is much better
> that the PiP offered from Verisign, since they probably keep log files and
> make back ups of their databases ;-) and because according to the specs the
> IdP establishes whether the End User is authorized to perform OpenID
> Authentication and wishes to do so and the manner in which the End User
> authenticates to their IdP is beyond the scope of the OpenID Authentication
> 2.0 Specifications, all users are authorized at no-password.com without
> questions asked. Cool, isn't it?
>
>  I'm sure you now understand how useful the OpenID framework is and you
> decided to add OpenID login to your forum immediately. There are no
> requirements on your part, but you should....well, really you  should make a
> small form at your forum, so the user can enter the no-password.com URI.
> It's also recommended that you place the OpenID logo at the beginning of the
> form field. Well, perhaps you just remove any authentication at your
> forum...it's useless anyway...Count on no-password.com to always
> authenticate the users of your forum positively!
>
>  However, I'm not sure, if I'll keep no-password.com, since I just bought it
> and can return the domain within 10 days without getting charged. Anyway,
> perhaps I'll get another one (no-questions-asked.com is free) in ten
> days....I'll keep you updated on this!
>
>
> --
>
> Regards
>
> Signer:      Eddy Nigg, StartCom Ltd.
> Phone:       +1.213.341.0390
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
>
>

More information about the security mailing list