FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-23-2009, 10:11 AM
Ben Finney
 
Default Refactoring the Debtags web interface

Enrico Zini <enrico@enricozini.org> writes:

> On Mon, Feb 23, 2009 at 11:00:06AM +1100, Ben Finney wrote:
>
> > What of those that use an OpenID provider not on the whitelist? […
> > What of non-DDs who do not necessarily have an account on any of those
> > services […]?
>
> Fair enough, any OpenID server will probably do, as long as being
> authenticated doesn't automatically authorize any privileges.
>
> If Debian were an OpenID provider, then using the Debian OpenID
> could automatically give some authorization, like assuming that one
> is a DD. That could have been handy, but indeed not particularly
> needed.

To be clear:

I am very much in favour of an OpenID presented for each Debian
account, just as every DD gets a debian.org email address. They would,
as you say, be very handy for use as a Debian-specific identity if the
person wants to use it.

But I'm equally against *requiring* that anyone must use a specific
provider's OpenID for general use on Debian machines, just as we don't
require a debian.org email address be used for general Debian project
use.

--
“We are all agreed that your theory is crazy. The question that |
` divides us is whether it is crazy enough to have a chance of |
_o__) being correct.” —Niels Bohr (to Wolfgang Pauli), 1958 |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 11:23 AM
Ben Finney
 
Default Refactoring the Debtags web interface

Peter Palfrader <weasel@debian.org> writes:

> On Mon, 23 Feb 2009, Enrico Zini wrote:
>
> > If Debian were an OpenID provider, then using the Debian OpenID
> > could automatically give some authorization, like assuming that
> > one is a DD. That could have been handy, but indeed not
> > particularly needed.
>
> As openid provides no security whatsoever

Just like an email address, an OpenID is good for identity; security
needs to be dealt with in a separate layer, just as with email. I
don't know who promised OpenID “provides security”, or expects it.

> there's probably not a big chance of us (as in DSA) hopping onto the
> openid hype any time soon.

Given that we willingly use email for identity, despite the fact that
email provides no security, I don't see how this is anything but a
non-sequitur.

--
“I fly Air Bizarre. You buy a combination one-way round-trip |
` ticket. Leave any Monday, and they bring you back the previous |
_o__) Friday. That way you still have the weekend.” —Steven Wright |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 11:40 AM
Peter Palfrader
 
Default Refactoring the Debtags web interface

On Mon, 23 Feb 2009, Ben Finney wrote:

> > As openid provides no security whatsoever
>
> Just like an email address, an OpenID is good for identity; security
> needs to be dealt with in a separate layer, just as with email. I
> don't know who promised OpenID ???provides security???, or expects it.

What's the point of an identity if you can't rely on it to be really
that identity? Authentication that is trivally bypassed or forged is
not really useful. You might just as well accept any random username
without the whole protocol stack.
--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 11:55 AM
Ben Finney
 
Default Refactoring the Debtags web interface

Peter Palfrader <weasel@debian.org> writes:

> What's the point of an identity if you can't rely on it to be really
> that identity? Authentication that is trivally bypassed or forged is
> not really useful.

This thread [0] isn't the place to debate how useful OpenID is for
those who choose to use it.

I invite anyone interested in knowing how the distinct areas of
identity, trust, and security intersect with the OpenID system, to
research the available documentation.


[0] Not least because we're talking about adding OpenID authentication
to an entirely optional service that is currently used quite happily
by people without *any* assurance of identity, let alone security.

--
“If you ever drop your keys into a river of molten lava, let |
` 'em go, because, man, they're gone.” —Jack Handey |
_o__) |
Ben Finney


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 10:58 PM
Brian May
 
Default Refactoring the Debtags web interface

Peter Palfrader wrote:

As openid provides no security whatsoever there's probably not a big
chance of us (as in DSA) hopping onto the openid hype any time soon.



openid could be secure - e.g. by enforcing https everywhere, always
checking the remote certificate properly, never using passwords for
authentication, etc.


Unfortunately, none of these apply to the implementations I have seen
(although my openid provider does at least allow for x509 certificate
authentication instead of password passed authentication).


There was a good article at
<http://idcorner.org/2007/08/22/the-problems-with-openid/>,
unfortunately the domain appears to be off-line now, and the archive at
<http://web.archive.org/web/20080208023407/http://idcorner.org/2007/08/22/the-problems-with-openid/>
is difficult to read due to bad formatting.


--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-23-2009, 11:17 PM
Brian May
 
Default Refactoring the Debtags web interface

Ben Finney wrote:

I invite anyone interested in knowing how the distinct areas of
identity, trust, and security intersect with the OpenID system, to
research the available documentation.



...except openid has serious issues with establishing identity in a
secure manner. Especially if the server connects to your identity
provider using http (seems to be common practise as far as I can tell).
Using http makes MITM attack easy. Just redirect requests to an identity
provider that always confirms the user's identity. Even if https is
used, does the server validate the CA certificate? I have seen openid
server software that doesn't do any checking of the SSL certificate (yes
there is a bug report on the issue).


Even then it is possible that a malicious website will redirect you to a
website that looks identical to your identity provider's website, asks
for you password, and then steals it.


Sure, an alert user will notice this; Unfortunately many users would not
notice.


If you can't establish identity in a secure manner, you can't establish
trust, authorisation, or security in a secure manner either.


The key issue seems to be that openid wasn't designed from the ground up
to be secure; for a secure solution you need something like Shibboleth
<http://en.wikipedia.org/wiki/Shibboleth_(Internet2)>
<http://shibboleth.internet2.edu/> (which I have been told *is* more
secure) or maybe even a solution that
requires web browser client support (e.g. Kerberos or something like
Kerberos).


--
Brian May <brian@microcomaustralia.com.au>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 02:19 AM
Sam Hartman
 
Default Refactoring the Debtags web interface

>>>>> "Brian" == Brian May <brian@microcomaustralia.com.au> writes:

Brian> Ben Finney wrote:
>> I invite anyone interested in knowing how the distinct areas of
>> identity, trust, and security intersect with the OpenID system,
>> to research the available documentation.
>>

Brian> ...except openid has serious issues with establishing
Brian> identity in a secure manner. Especially if the server
Brian> connects to your identity provider using http (seems to be
Brian> common practise as far as I can tell). Using http makes
Brian> MITM attack easy. Just redirect requests to an identity
Brian> provider that always confirms the user's identity.

I find it deeply ironic that I'm arguing against security. However,
let's remember that we're talking about debtags. It's always
important to think about your threat model and about how much
complexity you're willing to spend in order to get security.

This seems like a case where usability is far more important than
security. If the system starts getting abused, we can lock it down
more.

If someone proposed using openid to do debian.org password resets or
to maintain the keyring, I'd be screaming up and down all over the
place. I just don't see that the value of attacking the debtags
system warrents increased complexity and decreased usability in this
instance.

--Sam


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 05:53 AM
Peter Palfrader
 
Default Refactoring the Debtags web interface

On Mon, 23 Feb 2009, Sam Hartman wrote:

> I find it deeply ironic that I'm arguing against security. However,
> let's remember that we're talking about debtags. It's always
> important to think about your threat model and about how much
> complexity you're willing to spend in order to get security.

For debtags I completely agree. But I was arguing against openid
because people were asking for ud-ldap/db.debian.org be turned into an
openid provider to be used for everything webish on debian.org,
including db.d.o.
--
| .'`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-24-2009, 09:27 AM
Enrico Zini
 
Default Refactoring the Debtags web interface

On Mon, Feb 23, 2009 at 10:19:21PM -0500, Sam Hartman wrote:

> I find it deeply ironic that I'm arguing against security. However,
> let's remember that we're talking about debtags. It's always
> important to think about your threat model and about how much
> complexity you're willing to spend in order to get security.
>
> This seems like a case where usability is far more important than
> security. If the system starts getting abused, we can lock it down
> more.

Unfortunately the issue of choosing openid here is not on the debtags
side: the problem lies where the user database is, that is on
db.debian.org (maybe also on alioth). I perfectly understand that the
people in charge of db.debian.org do not want to expose their password
database through an OpenID identity provider: since they cannot decide
what service providers would or would not use their services, they
cannot rule out the scenario where a DD would get his Debian password
stolen while trying to log into a random wiki, or where someone,
unbeknownst to them, implements an insecure openid service provider
allowing DDs to do something important.

I understaind their choice of not providing the service over creating an
ecosystem based on a very convenient but flawed identification mechanism
that will risk drifting towards being used more and more, and more and
more inappropriately as time passes.

The big flaw of OpenID now seems to me to be that the service provider
is easily able to weaken the security of the identity provider.

Therefore the most important security aspect of OpenID is not to have a
service provider where security is not important, but rather a user
database whose security is not important.

I can implement OpenID in a new Debtags web application, but people
would have to get their identities out of something like their blogs.
We could implement a Debian OpenID provider, but it'll have to be
something else than the normal user database, in implmementation as well
as in scope.


Ciao,

Enrico

--
GPG key: 1024D/797EBFAB 2000-12-05 Enrico Zini <enrico@debian.org>
 
Old 02-24-2009, 09:37 AM
Yves-Alexis Perez
 
Default Refactoring the Debtags web interface

On mar, 2009-02-24 at 10:27 +0000, Enrico Zini wrote:
> I can implement OpenID in a new Debtags web application, but people
> would have to get their identities out of something like their blogs.
> We could implement a Debian OpenID provider, but it'll have to be
> something else than the normal user database, in implmementation as well
> as in scope.

Maybe something for debian-community?

Cheers,
--
Yves-Alexis


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 12:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org