<div dir="ltr">On Thu, Mar 28, 2013 at 6:08 PM, Robert Reese <span dir="ltr"><<a href="mailto:ale@sixit.com" target="_blank">ale@sixit.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><TRIM><br>
> A lot of web applications are going with sign-in over the Web through<br>
> various providers. Now, I would love to see sites support Google,<br>
> Twitter, Facebook, etc., but also support plain Jane generic OpenID as<br>
> well, along side those. OpenID is a safe and usable SSO method on the<br>
> Internet.<br>
<br>
</div>I am strictly opposed to OpenID. That is a really, really bad idea in my opinion: Compromised once, compromised everywhere.<br></blockquote><div><br></div><div style>This is true, but it also provides *one provider* who you need to trust with security, not every site. You can run that provider yourself with OpenID. So, OpenID (or centralized authentication in general) reduces the attack surface, but increases the damage from a successful attack.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
And NOBODY gets my login credentials for ANY OTHER SITE. Period. End of story. In fact, I support legislation outlawing the requirement of third-party login credentials; there are plenty of verification and authentication methods that work just fine without handing over authentication data to a third-party.<br>
<br></blockquote><div><br></div><div style>I'm not sure what you mean here: what is the "the requirement of third-party login credentials"? Sure, if LearnStreet wanted me to put my Github username and password into their site, I'd never do it. But I don't. I log in to Github, and when I want to log in to some other site, they can use OAuth2 to ask GitHub to please verify that the request I am sending them comes from me. The other site never sees my Github password.</div>
<div style><br></div><div style>Also, what "verification and authentication methods" would you recommend? I'd really like to see an open standard that uses cryptographic smart cards (with opt-in only key escrow) to access data and sites. But short of that, usernames and passwords are just plain broken for your average user.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I'm not sure I trust LastPass, either.<br></blockquote><div><br></div><div style>Good, don't trust anything you can't verify. I personally believe convenience of using lastpass outweighs security risk of using lastpass. But nobody's forcing you to use it.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class="im"><br>
<br>
> I use stronger passwords than probably most people on this list do for<br>
> most things, but I don't much need a bookkeeping method for my passwords<br>
> because I leverage SSO technologies where I can. They make my life way<br>
> easier, at a minimal cost, and I never actually have to share my<br>
> authentication data with third party sites that I sign into that way.<br>
> It's win/win.<br>
<br>
</div>Lose/lose, when that SSO is compromised. Nor do I believe that those sites don't get authentication data; every single one of them I've seeen asks for username and password.<br>
<div class="im"><br></div></blockquote><div style>Which sites don't get authentication data? The SSO provider or the site whose resources you want to access? If they use OpenID or OAuth, they wouldn't get a password from your provider. Here's the specifications if you haven't read them: <a href="https://tools.ietf.org/html/rfc6749">https://tools.ietf.org/html/rfc6749</a>, <a href="https://openid.net/specs/openid-authentication-2_0.html">https://openid.net/specs/openid-authentication-2_0.html</a>.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im">
<br>
> What constitutes a "security breach" in one environment might be<br>
> expected, even normal behavior in another environment altogether.<br>
<br>
</div>Please give an example of this.<br>
<div class="im"><br>
<br>
> We can all agree that, for example, plaintext communication is unsafe<br>
> across the Internet for many things. But on an intranetwork,<br>
> particularly a very small and isolated intranetwork, there is little<br>
> need to increase complexity just to have communications be encrypted on<br>
> that network. Internetwork links transited over the public Internet,<br>
> though, that's another story altogether.<br>
<br>
</div>Apples and oranges. The discussion has nothing to do with intranets, which is supposed to be a walled garden with respect to the outside.<br>
<br>
Personally, I'd tell learnstreet to take a hike, just less politely.<br>
<br>
Cheers,<br>
Robert~</blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>