Full Disclosure mailing list archives

Re: OpenID. The future of authentication on the web?

From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 23 Mar 2008 19:01:00 -0500

--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer 
<Larry () larryseltzer com> wrote:

It's worth pointing out that some OpenID providers are better than
others. An OpenID provider could implement 2-factor authentication, and
some have
(http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H
ardware/), or other features which could strengthen it.


Yes, but you're still placing your trust, for all the most important 
information about yourself, in the hands of a third party.  That third 
parties reputation relies on being able to deny a breach of their systems, 
so their primary motivation would not be to help you solve your problem 
but to deny that it was caused by them.  Insisting, for example, that you 
used the system incorrectly is a favored tactic of providers who offer 
similar decoupled authentication schemes.

Given the choice between placing that trust in *one* provider, potentially 
exposing everything about myself, I think a system that relies on *me* to 
release my information voluntarily when I choose makes more sense from a 
security perspective.  IOW, it is the owner of the data that should retain 
absolute control over that data.  (And no, credit card companies don't own 
my data.  Nor do merchants.  I do.  They have a responsibility to handle 
my data with the utmost care, and if they fail in their duty to protect, I 
have the ability to refuse to any longer do business with them.

I understand the attractiveness of not having to remember lots of IDs and 
passwords, but when you give up control of your data, you give up control 
of your future.

Paul Schmehl (pauls () utdallas edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

OpenID. The future of authentication on the web? Steven Rakick (Mar 23)
- Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
  - Re: OpenID. The future of authentication on the web? fabio (Mar 23)
- Message not available
  - Re: OpenID. The future of authentication on the web? Kern (Mar 23)
- Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 23)
  - Re: OpenID. The future of authentication on the web? reepex (Mar 23)
    - Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)
  - Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
    - Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
    - Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
    - Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
    - Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 23)
    - Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 23)
    - Re: OpenID. The future of authentication on the web? Pedro Hugo (Mar 24)
    - Re: OpenID. The future of authentication on the web? Paul Schmehl (Mar 24)
    - Re: OpenID. The future of authentication on the web? Kurt Buff (Mar 23)
    - Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
    - Re: OpenID. The future of authentication on the web? Larry Seltzer (Mar 24)
    - Re: OpenID. The future of authentication on the web? John C. A. Bambenek, GCIH, CISSP (Mar 24)
    - Re: OpenID. The future of authentication on the web? Petko D. Petkov (Mar 24)

(Thread continues...)