Mike McGrath wrote:

Hey guys, so the last little bits are in good shape for the OpenID
provider we're attempting to be. Don't go announcing this to others yet.
Lets test it out, if it breaks something let us know. We'll be announcing
it officially soon. You can, for example, log in to livejournal.com with:


username.id.fedoraproject.org

as your openID provider.

For example, my openID url is mmcgrath.id.fedoraproject.org


There is any way to make the landing page of that URL prettier? People
will see the URL and maybe will click on it, so is a must to have the
same CSS as all our websites.
In the "nice to have" category would be a little user customization,
like the user can include a link to his fedorapeople.org account, link
to personal blog, Fedora wiki userpage, maybe the hackergotchi image
(from .planet) etc.


--
nicu :: http://nicubunu.ro :: http://nicubunu.blogspot.com
Cool Fedora wallpapers: http://fedora.nicubunu.ro/wallpapers/
Open Clip Art Library: http://www.openclipart.org
my Fedora stuff: http://fedora.nicubunu.ro

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Thu, May 29, 2008 at 9:01 AM, Jeffrey Ollie <jeff@ocjtech.us> wrote:
> 2008/5/29 Till Maas <opensource@till.name>:
>> Here is an interesting
>> blog article about security considerations wrt. openid:
>> http://idcorner.org/2007/08/22/the-problems-with-openid/
>
> While I don't have any specific replies to the issues that Stefan
> Brand points out in that article (I'm too new at the OpenID game), it
> should be noted that Stefan is the owner of a company that is
> developing a competing patented[1] technology that recently sold out
> to Microsoft[2]. However, David Recordon does have a rebuttal of
> Stefan's points[3].
>
> [1] http://www.credentica.com/patent_portfolio.html
> [2] http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/
> [3] http://daveman692.livejournal.com/310578.html

I wouldn't dismiss his comments because of who he sold his patented
technology to until people on the infrastructure team more familiar
with OpenID and the security risks associated with it (I'm not that
person either :-) ) have reviewed the article for merit. Stefan does
post a follow-up comment to the David Recordon post.

It seems people are divided on the security OpenID does or does not
provide. It also seems to me an area where if OpenID is implemented
there should be some people on the infrastructure team that understand
the nuances of any security issues related to OpenID. We may have
those people on the team already - in which case hearing their opinion
on some of these articles would be useful.

> The phishing problem isn't unique to OpenID.

No, it isn't unique to OpenID - but it is certainly an area we should
take into account before implementing OpenID.

With all of that said - I like the OpenID idea. And we run other
services that have potential exposure to security issues (ssh, just
our normal FAS logins, etc) - but we do make efforts to protect those
services to the best of our ability to reduce our risk. I think we
should do the same with an OpenID implementation. Sure the
Infrastructure team can get OpenID to work, we just need to be sure
someone also makes sure we have evaluated potential security concerns
and addressed them when deemed appropriate. We may already have that
person on the team - or we may need to spend the time to study some of
the issues pointed out and determine if they are a valid risk and if
so - how do we protect against it.

~Jeffrey

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Jeffrey Tadlock wrote:

The phishing problem isn't unique to OpenID.


No, it isn't unique to OpenID - but it is certainly an area we should
take into account before implementing OpenID.

With all of that said - I like the OpenID idea. And we run other
services that have potential exposure to security issues (ssh, just
our normal FAS logins, etc) - but we do make efforts to protect those
services to the best of our ability to reduce our risk.


... and we should actually look at using our SSL certs more for
authentication as opposed to requiring people to type their FAS password
all over the place. This is something I keep meaning to bring up but
then having other stuff come up instead.


But that's neither here nor there wrt OpenID

Jeremy

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Thu, 29 May 2008, Jeremy Katz wrote:

> Jeffrey Tadlock wrote:
> > > The phishing problem isn't unique to OpenID.
> >
> > No, it isn't unique to OpenID - but it is certainly an area we should
> > take into account before implementing OpenID.
> >
> > With all of that said - I like the OpenID idea. And we run other
> > services that have potential exposure to security issues (ssh, just
> > our normal FAS logins, etc) - but we do make efforts to protect those
> > services to the best of our ability to reduce our risk.
>
> ... and we should actually look at using our SSL certs more for authentication
> as opposed to requiring people to type their FAS password all over the place.
> This is something I keep meaning to bring up but then having other stuff come
> up instead.
>

Actually we have some SSL auth in place already though I'm not totally
sure the status of it. We haven't officially announced it I know that

ricky? toshio? any comments?

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

On Thu May 29 2008, Kostas Georgiou wrote:

> I am not sure that I see any value in OpenID in any case, there are very
> few OpenID consumers that I know about.

I would like to see many upstream bugtrackers allow ingan OpenID login, so
that I do not need another new password and registration for them.

Regards,
Till
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Works with plaxo.com. Links directly to your profile there, unlike
livejournal.com.


--
Jason


Mike McGrath wrote:

Hey guys, so the last little bits are in good shape for the OpenID
provider we're attempting to be. Don't go announcing this to others yet.
Lets test it out, if it breaks something let us know. We'll be announcing
it officially soon. You can, for example, log in to livejournal.com with:


username.id.fedoraproject.org

as your openID provider.

For example, my openID url is mmcgrath.id.fedoraproject.org

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list



_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list