[BW-dev-discussion] OpenID
Philipp Lange
philipp.lange ...
Fri Oct 12 15:36:48 UTC 2007
As I explained in the last dev-announce mailing I want to ask
everybody if he sees the privacy or security of members who don't use
OpenID affected by the ones who use OpenID.
If there are no objections until next friday we can start implementig
OpenID ad parallel login method.
2007/9/15, Callum Macdonald <bw-lists at callum-macdonald.com>:
> The discussion is here:
> http://www.bevolunteer.org/forum/index.php?topic=959.0
>
> Cheers - Callum.
>
> Philipp Lange wrote:
> > may I remind you that only a small portion of BW volunteers can follow
> > the discussion on this list while about all should have a say on this
> > topic. So if you want to bring it to a conclusion as soon as possible
> > I strongly suggest to continue the discussion in the forum (as I wrote
> > some posts ago) and explicitly invite the critical people to join.
> >
> > Philipp
> >
> > 2007/9/15, Peter Lind <petere.lind at gmail.com>:
> >
> >> //offtopic
> >> I certainly hope that there's more to the uniqueness than "Every
> >> Estonian eID holder (around 80% of Estonian population) has an
> >> unique OpenID with the format open.id.ee/[firstname].[lastname]" ...
> >> there's absolutely no way I'll believe that no two Estonians share
> >> names.
> >>
> >> //ontopic
> >> @Sune: we don't store passwords encrypted or not, only a hash of it.
> >> The security threat of the "same details spread over many sites" has
> >> to do with a) other sites storing encrypted or plaintext versions of
> >> passwords, and b) phishing, keylogging, eavesdropping, etc.
> >>
> >> However, I believe that Morgan is overstating the security of OpenID.
> >> Morgan wrote:
> >>
> >>> Because people stop recycling passwords for different websites (which
> >>> is a big problem). If someone uses openID to log into BW, it doesn't
> >>> mean we can use their login to try and log in somewhere else.
> >>>
> >>> I *guarantee* that if you looked at the usernames/passwords for BW, HC
> >>> and CS that there will be some overlap.
> >>>
> >>> That could potentially be exploited by any one of the three to log
> >>> into the others. You can't do that with openid.
> >>>
> >> While it's obviously true that you can't use the openid of someone to
> >> log in somewhere if you don't have the login details for the openid
> >> provider, this simply does not amount to ANY of the three
> >> organizations not being able to obtain login details for the openid
> >> provider. If HC or CS really wanted to, they could setup an openid
> >> login and a phishing site and start collecting details. They might not
> >> get details from everybody, but they will probably get it from a large
> >> group.
> >> And as far as I'm concerned, holding the login details for an openid
> >> is just as bad as holding the login details used on x number of sites
> >> by a person - with either you'll be able to access the same.
> >>
> >> Regards
> >> Peter - Fake51
> >>
> >> 2007/9/15, Kasper Souren <kasper.souren at gmail.com>:
> >>
> >>> Check this out: https://open.id.ee/about/english
> >>>
> >>> "Every Estonian eID holder (around 80% of Estonian population) has an
> >>> unique OpenID with the format open.id.ee/[firstname].[lastname]"
> >>>
> >>> I guess OpenID is breaking through.
> >>>
> >>> --
> >>> The text written by Kasper Souren in this e-mail is in the public
> >>> domain, see http://creativecommons.org/licenses/publicdomain/
> >>> _______________________________________________
> >>> bw-dev-discussion mailing list
> >>> bw-dev-discussion at bewelcome.org
> >>> http://bewelcome.org/mailman/listinfo/bw-dev-discussion
> >>>
> >>>
> >> --
> >> <hype>
> >> WWW: plind.dk
> >> BeWelcome: Fake51
> >> HospitalityClub: Fake51
> >> Couchsurfing: Fake51
> >> Flickering at: www.flickr.com/photos/fake51
> >> Generally: Fake51 or kaFe15
> >> </hype>
> >> _______________________________________________
> >> bw-dev-discussion mailing list
> >> bw-dev-discussion at bewelcome.org
> >> http://bewelcome.org/mailman/listinfo/bw-dev-discussion
> >>
> >>
> > _______________________________________________
> > bw-dev-discussion mailing list
> > bw-dev-discussion at bewelcome.org
> > http://bewelcome.org/mailman/listinfo/bw-dev-discussion
> >
> >
> >
>
> _______________________________________________
> bw-dev-discussion mailing list
> bw-dev-discussion at bewelcome.org
> http://bewelcome.org/mailman/listinfo/bw-dev-discussion
>
More information about the bw-dev-discussion
mailing list