[thelist] [OT] OpenID
Ken Schaefer
Ken at adOpenStatic.com
Tue Mar 24 21:19:32 CDT 2009
________________________________________
From: thelist-bounces at lists.evolt.org [thelist-bounces at lists.evolt.org] On Behalf Of Jack Timmons [jorachim at gmail.com]
Subject: Re: [thelist] [OT] OpenID
>> I've only seen it used on stackoverflow.com, which is even a headache
>> for a user if you don't habitually authenticate with one of their
>> OpenID providers whenever you surf.
>
>Personally, I wouldn't even bother with it. I think it's a case of "good
>ideal, bad implementation". Why can't I just have a page I can CURL from the
>server to authenticate from? Instead of redirecting them (adding no less
>than two extra steps to a login process that takes only one if I don't use
>it), I could just use the feedback from there.
Most Federation type authentication applications don't work that way (allowing you to proxy credentials). Why? Probably because of the possibility of MITM (man-in-the-middle) compromise of accounts.
Most seem to use a concept of mutually trusted authentication servers. Unrelated authentication systems (like Kerberos and PKI also work the same way)
> Give me something that acts more like Gravatar, in which I, as a user, only
> have to provide my email address. I'm always surprised to see my avatar pop
> up on sites that use it. It's a good thing.
Unfortunately, as a general concept that conflates the concepts of Identity and Authenticator - and that's generally a very bad idea.
http://technet.microsoft.com/en-us/library/cc512578.aspx
You'd still need to have the ability to authenticate to Gravator, and then also to the actual website where the your submitting your email address. So, still two identities to maintain.
Cheers
Ken
More information about the thelist
mailing list