<br><br><div class="gmail_quote">On Fri, Mar 29, 2013 at 1:59 PM, David Tomaschik <span dir="ltr"><<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>On Fri, Mar 29, 2013 at 6:39 AM, Michael B. Trausch <span dir="ltr"><<a href="mailto:mbt@naunetcorp.com" target="_blank">mbt@naunetcorp.com</a>></span> wrote:<br></div><div class="gmail_extra">
<div class="gmail_quote"><div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On 03/28/2013 09:26 PM, David Tomaschik wrote:<br>
> This is true, but it also provides *one provider* who you need to trust<br>
> with security, not every site. You can run that provider yourself with<br>
> OpenID. So, OpenID (or centralized authentication in general) reduces<br>
> the attack surface, but increases the damage from a successful attack.<br>
<br>
</div>I'm surprised at you, David! Such a blanket statement. That also<br>
depends on what one has in place to _mitigate_ compromise. I think that<br>
anyone who puts any system in place and then does not plan for it to be<br>
compromised is missing the whole point of security. Assume it will<br>
break. Mitigate what can happen when it does.<br></blockquote></div></div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra">
<div class="gmail_quote"><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote><div><br></div></div><div>Assuming you have >1 service using that OpenID provider, the damage from compromising the OpenID account is, by definition, more than a compromise of one of those accounts. I never said that it results in a complete loss of control.</div>
</div></div></div></blockquote><div><br></div><div>I know this is an old email, but it was sitting in my drafts for awhile.</div><div><br></div><div>This is where two-factor systems come into play. For example, myOpenID will call your phone number to verify whenever you login to your account. It even has a voice-print security feature, but I'm not sure if that really adds any extra security or is junk science.</div>
<div><br></div><div><br></div><div><br></div><div><SNIPPED> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div>
<div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br><a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br>