RE: OpenID and the web

["Chris Grove" <cgrove () imperva com>]

I'm my opinion, SSO works best for companies that have many disconnected
internal applications and want to make password management easier for
its internal users.  SSO is generally installed on the webservers and
app servers, and checks to see who the logged in user is, than applies
the appropriate credentials for the requested resource.

Storing passwords locally for use with separate websites gives the user
the 'feeling' of SSO, but in my opinion is not truly SSO. I would
consider that more of a password replay application...

Regards,
Chris Grove, CISSP, NSA-IAM
Professional Services Consultant

+1 (813) 508-8591 Mobile
cgrove () imperva com
http://iMPERVA.com


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of David Wall
Sent: Thursday, March 27, 2008 11:31 AM
To: Babu.N
Cc: Eric Marden; webappsec () securityfocus com
Subject: Re: OpenID and the web


> Yes, it is difficult to configure it for supporting sites.
>
> But it does save us from registering at multiple webistes & 
> remembering the passwords of each of them.

Single sign-on only is truly useful if nearly all sites adopt it, 
unfortunately.  After all, I have a Password Safe file that contains 225

entries now (many are business-related, but many are for the various 
personal sites I'm registered at).  If 25 sites adopt a common SSO, I'd 
still have 200 entries, meaning I'd still need/use Password Safe (or 
other password manager, which is really extremely useful and easy to use

and allows me to effectively remember all passwords by only remembering 
one good pass phrase that never is shared with anybody). 

If they all adopted, then I wouldn't need it, which would be awesome, 
but seems unlikely to happen, and of course there are passwords I have 
to "remember" that are not for web sites.

Also, isn't entering the pseudo-random numbers subject to MITM with 
replay attack?  I've not researched it much, but in general you need to 
ID yourself and give the value, at which time the info used could be 
replayed. 

Also, those in control the ID databases have to be trusted that their 
employees/contractors/outsourcers won't somehow steal or otherwise lose 
control of the data, something we see all the time with sensitive 
financial and medical records.  If you break my password at one site 
today (such as a data loss or other phishing scam, etc.), you don't get 
access to all my accounts like you would through SSO.

Don't get me wrong, I like SSO in general, but I think "universal SSO" 
is extremely unlikely.  There are control issues, liability issues, risk

management issues and just plain old competitor cooperation issues.

David

------------------------------------------------------------------------
-
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in
the development of any web application. What methodology should be
followed? What tools can accelerate the assessment process? Download
this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------