|
in reply to Re^4: PerlMonks OpenID provider?
in thread PerlMonks OpenID provider?
Though I fully agree, I think that the only real way of providing security is not giving anyone access. Though perfectly possible it also makes what ever you are offering quite inaccesable.
OpenID is a easy solution that is as safe as the weakest link in the chain, as soon as that falls all that trust that link to hold will fall as well.
Without trusing the security of a single point how can you create a security system? Exactly you cannot, with OpenID the assumption was made that the providers will stay safe... right or wrong I will not get dragged into that, but I in all honnesty rather trust groups like VeriSign to keep a key secure then trusting the post-it notes on most office computers.
As for the original posters idea of having PM be a provider, I think they would have to be pretty stupid to even consider doing that, but if they wanted to of course it could be done. |
Re^6: PerlMonks OpenID provider?
by mr_mischief (Monsignor) on Oct 06, 2008 at 18:22 UTC
|
Yes, you must some single point at some time. A few highly specialized and fully trusted providers might not be a horrible idea. However, the wider you cast your net for providers the more likely it is that they will not all be trustworthy or that that one will itself be insecure.
One of the tenets of a really paranoid security policy is that those single points you must trust should be as directly under your control as is feasible. A key and pass phrase wallet at the client end fulfills that requirement nicely. | [reply] |
|
