Authentication on the Internet (bogus emails looking for money)
Benjamin Scott
dragonhawk at gmail.com
Tue Apr 27 18:48:40 EDT 2010
On Tue, Apr 27, 2010 at 5:51 PM, Alan Johnson <alan at datdec.com> wrote:
> Personally, I like the open id concept. Assuming you have a secure
> provider, and a secure password/cert with them ...
So, it fails on both counts, then. HHOS.
Large-scale SSO systems scare me because if the SSO host is
compromised, they've got access to *all* your stuff. It also tends to
mean you've got a small number of high-value, high-profile targets.
I suppose if you run your own OpenID host, you can make most of that
go away (although if your own SSO ID is ever compromised you're still
humped). But that seems like rather a corner-case to me; anyone who
can do that is likely okay managing other authentication mechanisms.
-- Ben
More information about the gnhlug-discuss
mailing list