WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenID and the web

From: "Jeff Robertson" <jeff.robertson () gmail com>
Date: Thu, 27 Mar 2008 10:49:42 -0400
On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban () gmail com> wrote:

On 3/27/08, Babu.N <babun () intoto com> wrote:
 >
 >  Yes, it is difficult to configure it for supporting sites.
 >
 >  But it does save us from registering at multiple webistes &
 >  remembering the passwords of each of them.

 It also makes it that much simpler for a malicious user to gain access
 to every account you have after getting the password for only one.



But it also makes it easier to use stronger authentication. Nobody
would want to put up with, say, tokens or client certificates for
*every* website they use. For your online banking, maybe, but not for
your email and your blog and 20 random forum websites. But if you only
have to sign in once, your tolerance for security measures should go
up.

My main question, without having looked into it yet, is what kind of
protocols this uses. There is already SAML, for instance. Has OpenID
invented yet another way to do SSO, or are they using an existing
method?

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: