WebApp Sec mailing list archives
Re: OpenID and the web
From: "Jeff Robertson" <jeff.robertson () gmail com>
Date: Thu, 27 Mar 2008 10:49:42 -0400
On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban () gmail com> wrote:
On 3/27/08, Babu.N <babun () intoto com> wrote: > > Yes, it is difficult to configure it for supporting sites. > > But it does save us from registering at multiple webistes & > remembering the passwords of each of them. It also makes it that much simpler for a malicious user to gain access to every account you have after getting the password for only one.
But it also makes it easier to use stronger authentication. Nobody would want to put up with, say, tokens or client certificates for *every* website they use. For your online banking, maybe, but not for your email and your blog and 20 random forum websites. But if you only have to sign in once, your tolerance for security measures should go up. My main question, without having looked into it yet, is what kind of protocols this uses. There is already SAML, for instance. Has OpenID invented yet another way to do SSO, or are they using an existing method? ------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- OpenID and the web Steven Rakick (Mar 25)
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Message not available
- Re: OpenID and the web David Wall (Mar 25)
- Re: OpenID and the web Adrian Migraso (Mar 25)
- Re: OpenID and the web Eric Marden (Mar 26)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Jeff Robertson (Mar 27)
- RE: OpenID and the web Calderon, Juan Carlos (GE, Corporate, consultant) (Mar 27)
- Re: OpenID and the web Lucas Oman (Mar 27)
- Re: OpenID and the web Razi Shaban (Mar 27)
- Re: OpenID and the web Babu.N (Mar 26)
- Re: OpenID and the web David Wall (Mar 27)
- Re: OpenID and the web Jeremiah Cornelius (Mar 27)
- RE: OpenID and the web Chris Grove (Mar 28)
- <Possible follow-ups>
- Re: OpenID and the web Pete Jansson (Mar 27)
- Re: OpenID and the web baldr (Mar 27)