Single login for Wine sites?

[Kai Blin]

On Monday 06 April 2009 17:04:02 Jan Zerebecki wrote:

> I read a bit about OpenID security issues and from that it seems
> that OpenID is more secure than what we currently use if the
> Relying Party ( the website that wants to authenticate a user,
> i.e. winehq.org ) and the OpenID Provider get their
> implementation right (i.e. I have not found any security bug in
> the spec itself). The downside is that there is one more party
> that can be compromised, the upside is that this party is usually
> the hardest to compromise and that it ensures that some attacks
> don't work on the other two parties (that previously worked).
>
> I may be wrong, so please correct me.

I see the attack scenario where someone stole an openid user's identity and is 
now using that to do bad things on the wine sites.

Also, the flaw I see in the OpenID spec is that they're not requiring the use 
of SSL, but you decided to not allow the MITM attack against the DH exchange 
as an argument. So all I can say is that while all the points I could raise 
are invalidated by your exclusion, I don't like the OpenID design and don't 
want to support it. There's good password safe programs available for people 
who don't want to remember their logins for multiple sites. That should be 
good enough.

Kai

-- 
Kai Blin
WorldForge developer  http://www.worldforge.org/
Wine developer        http://wiki.winehq.org/KaiBlin
Samba team member     http://www.samba.org/samba/team/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20090407/fde4647b/attachment.pgp>