Link roundup for new OpenID uses and problems
Widgets & RSS Feedsongoing - OpenID at Work: Tim Bray writes about Sun’s recently announced internal OpenID service. Sun is now offering an OpenID provider, but only for Sun employees. This means that third parties could theoretically allow people from Sun to log in via their OpenID relying party service and know that the individuals were in fact Sun employees. This could be used for training, discounts, etc. The primary problem is that currently there are far more OpenID providers (sites that offer credentials) than OpenID Relying Parties (sites that take credentials). It is an interesting example as it does allow external sites to verify affiliation easily, although an employer email address would do the same thing, but with less potential privacy protections.
Digital Domain - Goodbye, Passwords. You Aren’t a Good Defense.: Randal Stross writes about the current state of password management for the New York Times. The executive summary is that it is not good. He talks about a few authentication mechanisms that are vying for popularity online. He mentions Microsoft’s Identity Cards which he seems to like and OpenID which he does not.
http://www.links.org/files/openid-advisory.txt: Another example of the continued fallout from the unfortunate modification made by a Debian developer to OpenSSL. In this case, Ben Laurie from Google’s Security team and Richard Clayton from the Computer Laboratory at Cambridge University, found that some OpenID Providers used TLS (SSL) Certificates that used weak keys due to the OpenSSL changes. An attack becomes more viable when combined with recent DNS cache poisoning techniques. OpenID is not uniquely vulnerable here, it is just an interesting example of combinations of security flaws that have far reaching affects.
