|
WebApp Sec
mailing list archives
Re: OpenID and the web
From: "Jeff Robertson" <jeff.robertson () gmail com>
Date: Thu, 27 Mar 2008 10:49:42 -0400
On Thu, Mar 27, 2008 at 7:47 AM, Razi Shaban <razishaban () gmail com> wrote:
On 3/27/08, Babu.N <babun () intoto com> wrote:
>
> Yes, it is difficult to configure it for supporting sites.
>
> But it does save us from registering at multiple webistes &
> remembering the passwords of each of them.
It also makes it that much simpler for a malicious user to gain access
to every account you have after getting the password for only one.
But it also makes it easier to use stronger authentication. Nobody
would want to put up with, say, tokens or client certificates for
*every* website they use. For your online banking, maybe, but not for
your email and your blog and 20 random forum websites. But if you only
have to sign in once, your tolerance for security measures should go
up.
My main question, without having looked into it yet, is what kind of
protocols this uses. There is already SAML, for instance. Has OpenID
invented yet another way to do SSO, or are they using an existing
method?
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be
considered a crucial phase in the development of any web application. What methodology should be followed? What tools
can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Re: OpenID and the web, (continued)
Re: OpenID and the web Adrian Migraso (Mar 25)
Re: OpenID and the web Eric Marden (Mar 26)
Re: OpenID and the web David Wall (Mar 27)
Re: OpenID and the web Jeremiah Cornelius (Mar 27)
|
Intro
