Re^4: PerlMonks OpenID provider?

"Oh relax."

Please don't pretend to know my mental or emotional state from a matter-of-fact comment I made.

If you haven't heard of the weaknesses of ssh shared keys, then you probably haven't read much about Unix system security. It's a quite liberally discussed topic. If one machine on a network is compromised, then it's a network-wide problem. This is especially the case when using host keys rather than or in addition to user account keys. Guess which one OpenID is more like.

A trend does not a good idea make. There used to be paper dresses, and DDT used to be a popular pesticide. I think the classic parenting tip here is, "If Yahoo and Google jumped off a bridge, would you jump, too?"

Comment on Re^4: PerlMonks OpenID provider?

Replies are listed 'Best First'.
Re^5: PerlMonks OpenID provider? by RatKing (Acolyte) on Oct 06, 2008 at 15:19 UTC
Though I fully agree, I think that the only real way of providing security is not giving anyone access. Though perfectly possible it also makes what ever you are offering quite inaccesable. OpenID is a easy solution that is as safe as the weakest link in the chain, as soon as that falls all that trust that link to hold will fall as well. Without trusing the security of a single point how can you create a security system? Exactly you cannot, with OpenID the assumption was made that the providers will stay safe... right or wrong I will not get dragged into that, but I in all honnesty rather trust groups like VeriSign to keep a key secure then trusting the post-it notes on most office computers. As for the original posters idea of having PM be a provider, I think they would have to be pretty stupid to even consider doing that, but if they wanted to of course it could be done.	[reply]
Re^6: PerlMonks OpenID provider? by mr_mischief (Monsignor) on Oct 06, 2008 at 18:22 UTC
Yes, you must some single point at some time. A few highly specialized and fully trusted providers might not be a horrible idea. However, the wider you cast your net for providers the more likely it is that they will not all be trustworthy or that that one will itself be insecure. One of the tenets of a really paranoid security policy is that those single points you must trust should be as directly under your control as is feasible. A key and pass phrase wallet at the client end fulfills that requirement nicely.	[reply]