Comments on: A Brief Analysis of OpenID http://jonsview.com/2008/07/31/a-brief-analysis-of-openid My life with technology Tue, 06 Jan 2009 10:57:09 +0000 http://wordpress.org/?v=2.7 hourly 1 By: James http://jonsview.com/2008/07/31/a-brief-analysis-of-openid/comment-page-1#comment-410 James Thu, 18 Sep 2008 15:52:47 +0000 http://jonsview.com/?p=90#comment-410 Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James. Hi, I found your blog on this new directory of WordPress Blogs at blackhatbootcamp.com/listofwordpressblogs. I dont know how your blog came up, must have been a typo, i duno. Anyways, I just clicked it and here I am. Your blog looks good. Have a nice day. James.

]]> By: Will Norris http://jonsview.com/2008/07/31/a-brief-analysis-of-openid/comment-page-1#comment-353 Will Norris Mon, 04 Aug 2008 18:41:16 +0000 http://jonsview.com/?p=90#comment-353 That's a pretty good and concise analysis of the problems we're facing with OpenID. Certainly the standard security recommendations apply to OpenID as you would expect with any secure web application: use of SSL, making sure OpenID Providers are not vulnerable to CSRF and XSS attacks, etc. With regard to redundancy, remember that you can delegate your domain to multiple providers in priority order, so that if one goes down, you have others. If your personal domain goes down, that's another story, but is the basis for the argument of allowing users to link multiple OpenIDs at the relying party level. With respect to security and phishing, I'd encourage you to look at the work we're doing at Vidoop, both with our <a href="https://myvidoop.com/" rel="nofollow">secure OpenID provider</a> as well as our <a href="http://labs.vidoop.com/" rel="nofollow">more experimental</a> in this space. I agree that OpenID has a long way to go before we see it used in more high-risk use cases like banks, but as you've pointed out, it's perfectly fine for a lot of things right now. With that in mind, why not leave the wp-openid plugin installed for blog comments? If you have any problems with the plugin, please do let me know. That’s a pretty good and concise analysis of the problems we’re facing with OpenID. Certainly the standard security recommendations apply to OpenID as you would expect with any secure web application: use of SSL, making sure OpenID Providers are not vulnerable to CSRF and XSS attacks, etc.

With regard to redundancy, remember that you can delegate your domain to multiple providers in priority order, so that if one goes down, you have others. If your personal domain goes down, that’s another story, but is the basis for the argument of allowing users to link multiple OpenIDs at the relying party level.

With respect to security and phishing, I’d encourage you to look at the work we’re doing at Vidoop, both with our secure OpenID provider as well as our more experimental in this space.

I agree that OpenID has a long way to go before we see it used in more high-risk use cases like banks, but as you’ve pointed out, it’s perfectly fine for a lot of things right now. With that in mind, why not leave the wp-openid plugin installed for blog comments? If you have any problems with the plugin, please do let me know.

]]>