OpenID Auth 2.0 security considerations

Scott Kveton scott at janrain.com
Tue Jan 23 23:31:26 UTC 2007 

> I get really worried whenever I see such statements. They tend to be the sign
> of a long drawn out specification effort rather than a short one.

Actually I think Johannes' statement is dead-on; we don't need to make a
significant change here.
 
> If you want to change the Internet you have a lot of gatekeepers to convince.
> Deciding that you don't have time to do that is usually a mistake.
> 
> The key is to understand which parties are really gatekeepers and which are
> not. Two gatekeepers that must be convinced here are the security cabal and
> the open source community.

The security cabal has said that we must have some consideration for
phishing in the specification.  That consideration would be hosted at the
link that would be added.  Doing anything more _at this time_ would go
against the nature of OpenID.  Simple, easy-to-use and decentralized.

As for the open source community, its obvious by the continued
implementations popping up for MediaWiki, Joomla, Moodle, Drupal, WordPress
and others with the existing specification they have been convinced.

Let's not get into death-by-committee here ... You can't please everyone all
the time and I'm sure the spec authors are aware of that.

- Scott



>> -----Original Message-----
>> From: specs-bounces at openid.net
>> [mailto:specs-bounces at openid.net] On Behalf Of Johannes Ernst
>> Sent: Tuesday, January 23, 2007 3:57 PM
>> To: Recordon, David
>> Cc: specs at openid.net
>> Subject: Re: OpenID Auth 2.0 security considerations
>> 
>> Given where we are in time, I would suggest to make the
>> smallest amount of changes possible to the document, i.e.
>> leave everything as is, just add this one link.
>> 
>> 
>> On Jan 23, 2007, at 11:59, Recordon, David wrote:
>> 
>>> I don't see a problem with that.
>>> 
>>> Would you propose the majority of the security
>> considerations section
>>> in the current draft be moved to the wiki?  What would be
>> the balance
>>> between spec and wiki page?
>>> 
>>> --David
>>> 
>>> -----Original Message-----
>>> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
>>> Behalf Of Johannes Ernst
>>> Sent: Monday, January 22, 2007 12:15 PM
>>> To: specs at openid.net
>>> Subject: OpenID Auth 2.0 security considerations
>>> 
>>> What about a non-normative link from the spec to a place on
>> the wiki
>>> where we can collect security considerations for it, and
>> update those
>>> in real-time as discussions such as the phishing one progress.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>> 
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list