[145026] in cryptography@c2.net mail archive
Effects of OpenID or similar standards
daemon@ATHENA.MIT.EDU (David-Sarah Hopwood)
Fri Nov 6 10:46:25 2009
Date: Tue, 03 Nov 2009 20:41:52 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
To: cryptography@metzdowd.com
In-Reply-To: <fa0147d90911021925v314df008hd6f6f5aa4f9c0684@mail.gmail.com>
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigAECDF69E31045A9AFE96F31F
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Taral wrote:
> On Mon, Nov 2, 2009 at 5:41 PM, Jerry Leichter <leichter@lrw.com> wrote=
:
>> The trend is for this to get worse, with
>> network-wide shared authentication via OpenID or whatever other standa=
rd
>> catches on.
>=20
> Not to derail this, but OpenID is flexible enough to permit
> fine-grained authentication as well as non-password-based
> authentication (e.g. smart card) and multi-factor authentication.
It's unlikely to be used that way except in a small minority of cases.
Jerry is absolutely correct that the practical result will be that most
users of OpenID will become more vulnerable to compromise of a single
password. This will only increase the value of several kinds of attack
(phishing, exploiting client security flaws, XSS, CSRF). I bet that
attackers are rubbing their hands in anticipation.
--=20
David-Sarah Hopwood =E2=9A=A5 http://davidsarah.livejournal.com
--------------enigAECDF69E31045A9AFE96F31F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iF4EAREIAAYFAkrwlZEACgkQWUc8YzyzqAeNZwD9Hh7Fb65LQrOzt8nmOAiWPIp/
WoEeU7WFqKcr8+RL1nIA/RDSpYRYeLaiua2418TjU+jhw6vM6RUCoaRZQCIXJxhr
=jqbm
-----END PGP SIGNATURE-----
--------------enigAECDF69E31045A9AFE96F31F--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
