Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Re^3: PerlMonks OpenID provider?

by b10m (Vicar)
on Sep 23, 2008 at 15:22 UTC ( #713231=note: print w/replies, xml ) Need Help??

in reply to Re^2: PerlMonks OpenID provider?
in thread PerlMonks OpenID provider?

"Flippantly calling people "haters" because they see legitimate flaws in something you like is as offensive and juvenile as calling people "fanbois" because they see legitimate benefits in something you dislike."

Oh relax. I was merely referring to the first comments that used the "hate" stigma. In fact, I'm tremendously interested in the arguments against OpenID and you raise valid concerns. And for the record, I'm not a "fanboi", I'm stuck in the middle, slightly in favour, cause at this point, I don't see many obstacles.

"The difference between OpenID and independent authentication is that if PM was compromised as an independent site, just PM is affected. If it was compromised as an OpenID provider, then everyone who accepts its authentication information is affected until the situation is noticed."

Here you have a valid concern. The single point of failure isn't nice, I fully agree. Yet I don't hear these concerns too often with, e.g. SSH's authorized_keys. Other single points of failure are of course one password for all sites (happens too often), one mail account signing up (so compromising the mailbox could potentially help one access many other sites), stored passwords in browsers etc.

A positive thing would be that OpenID could take away the threshold of people signing up to sites, like Perlmonks (if it'd start accepting it, rather than offering provider services). Granted, if Perlmonks would only offer the provider service, this argument makes close to no sense.

I haven't looked at the OpenID specs in close detail, but do seem to remember you can also delegate the provider service. (ah, it indeed is possible). Maybe that would be an option for Perlmonks then (?). A small adjustment to the home node would seem enough. This would take away the increased risk of attacks on this site; the bandwidth increase would be minimal and it'd still offer the OP a way to authenticate using his/her Perlmonks homenode.

OpenID is a growing thing (whether we like it or not). Look at Yahoo!, Google (and more Google through Blogger), AOL and others. Discussing it here isn't necessarily a bad thing, IMHO.


Replies are listed 'Best First'.
Re^4: PerlMonks OpenID provider?
by mr_mischief (Monsignor) on Sep 23, 2008 at 16:24 UTC
    "Oh relax."

    Please don't pretend to know my mental or emotional state from a matter-of-fact comment I made.

    If you haven't heard of the weaknesses of ssh shared keys, then you probably haven't read much about Unix system security. It's a quite liberally discussed topic. If one machine on a network is compromised, then it's a network-wide problem. This is especially the case when using host keys rather than or in addition to user account keys. Guess which one OpenID is more like.

    A trend does not a good idea make. There used to be paper dresses, and DDT used to be a popular pesticide. I think the classic parenting tip here is, "If Yahoo and Google jumped off a bridge, would you jump, too?"

      Though I fully agree, I think that the only real way of providing security is not giving anyone access. Though perfectly possible it also makes what ever you are offering quite inaccesable.

      OpenID is a easy solution that is as safe as the weakest link in the chain, as soon as that falls all that trust that link to hold will fall as well.

      Without trusing the security of a single point how can you create a security system? Exactly you cannot, with OpenID the assumption was made that the providers will stay safe... right or wrong I will not get dragged into that, but I in all honnesty rather trust groups like VeriSign to keep a key secure then trusting the post-it notes on most office computers.

      As for the original posters idea of having PM be a provider, I think they would have to be pretty stupid to even consider doing that, but if they wanted to of course it could be done.
        Yes, you must some single point at some time. A few highly specialized and fully trusted providers might not be a horrible idea. However, the wider you cast your net for providers the more likely it is that they will not all be trustworthy or that that one will itself be insecure.

        One of the tenets of a really paranoid security policy is that those single points you must trust should be as directly under your control as is feasible. A key and pass phrase wallet at the client end fulfills that requirement nicely.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://713231]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2022-05-26 01:48 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (92 votes). Check out past polls.