ongoing - OpenID at Work: Tim Bray writes about Sun’s recently announced internal OpenID service. Sun is now offering an OpenID provider, but only for Sun employees. This means that third parties could theoretically allow people from Sun to log in via their OpenID relying party service and know that the individuals were in fact Sun employees. This could be used for training, discounts, etc. The primary problem is that currently there are far more OpenID providers (sites that offer credentials) than OpenID Relying Parties (sites that take credentials). It is an interesting example as it does allow external sites to verify affiliation easily, although an employer email address would do the same thing, but with less potential privacy protections.
Digital Domain - Goodbye, Passwords. You Aren’t a Good Defense.: Randal Stross writes about the current state of password management for the New York Times. The executive summary is that it is not good. He talks about a few authentication mechanisms that are vying for popularity online. He mentions Microsoft’s Identity Cards which he seems to like and OpenID which he does not.
http://www.links.org/files/openid-advisory.txt: Another example of the continued fallout from the unfortunate modification made by a Debian developer to OpenSSL. In this case, Ben Laurie from Google’s Security team and Richard Clayton from the Computer Laboratory at Cambridge University, found that some OpenID Providers used TLS (SSL) Certificates that used weak keys due to the OpenSSL changes. An attack becomes more viable when combined with recent DNS cache poisoning techniques. OpenID is not uniquely vulnerable here, it is just an interesting example of combinations of security flaws that have far reaching affects.
Related posts
Link Roundup on Identity Management 4/13/08 Understanding CardSpace | : As part of his Perspectives series, Jon Udell interviews Vittorio Bertocci, the author of Understanding Windows CardSpace. The inter ...
Link roundup for 8/10/07 Smartphone Browser Shootout: Palm, BlackBerry, HTC Vs. iPhone: An article by David DeJean at InformationWeek. The author describes a series of tests of various ...
Link roundup for 2/8/08 Email Standards Project Acid Test | Email Standards Project: this is a test inspired by the Web Standards Project (WaSP) Acid tests that are widely used to gaug ...
Syndicate with RSS
Add New Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Add New Comment