[security] passing password on identification request?
SitG Admin
sysadmin at shadowsinthegarden.com
Wed Oct 14 05:47:24 UTC 2009
>Users giving there passwords to RPs is what openID is trying to prevent.
>That is why passwords are not supported in the redirect.
Hmm . . . minor clarification here, though: users giving passwords
*their passwords for the OP* (or otherwise transmitting "in the
clear") is not compatible with OpenID.
If the RP wants to ask for another password (one local to that
system), e.g. for rarely invoked high levels of access, it *might* be
compatible with OpenID (depends on the exact use, but isn't
automatically NOT compatible).
The description Anthony gave sounds vaguely like Kerberos (from the
MIT dialogue), but my mind is stuffed full of other things right now
and I get a bit of a headache just getting some meaning out of
roughly half of it (the rest seems beyond me tonight).
-Shade
More information about the security
mailing list