lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 23 Mar 2008 19:01:00 -0500
From: Paul Schmehl <pauls@...allas.edu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: OpenID. The future of authentication on the
 web?

--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer 
<Larry@...ryseltzer.com> wrote:

> It's worth pointing out that some OpenID providers are better than
> others. An OpenID provider could implement 2-factor authentication, and
> some have
> (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H
> ardware/), or other features which could strengthen it.
>

Yes, but you're still placing your trust, for all the most important 
information about yourself, in the hands of a third party.  That third 
parties reputation relies on being able to deny a breach of their systems, 
so their primary motivation would not be to help you solve your problem 
but to deny that it was caused by them.  Insisting, for example, that you 
used the system incorrectly is a favored tactic of providers who offer 
similar decoupled authentication schemes.

Given the choice between placing that trust in *one* provider, potentially 
exposing everything about myself, I think a system that relies on *me* to 
release my information voluntarily when I choose makes more sense from a 
security perspective.  IOW, it is the owner of the data that should retain 
absolute control over that data.  (And no, credit card companies don't own 
my data.  Nor do merchants.  I do.  They have a responsibility to handle 
my data with the utmost care, and if they fail in their duty to protect, I 
have the ability to refuse to any longer do business with them.

I understand the attractiveness of not having to remember lots of IDs and 
passwords, but when you give up control of your data, you give up control 
of your future.

Paul Schmehl (pauls@...allas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ