Archive for the 'security' Category

Learning the OpenID problems

Wednesday, May 14th, 2008

OpenID logoContinuing my recent discussion about OpenID and considering OpenID usage for authenticating to OSGeo services, I wanted to make a short review of its disadvantages. The OpenID advantages are well-known and can be described with a short statement:

open, decentralized, free framework, which allows Internet users to control their digital life with single identity

Stefan Brand collected number of opinions about OpenID and compiled a very interesting post on his blog about problem(s) with OpenID. Stefan’s blog entry is pretty long, so to understand his findings easier, I decided to abstract key thoughts on that matter.

Stefan summarized main problems and sources of OpenID criticism as follows:

OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID consumer.

Next, complaints about the OpenID framework are presented in a few categories, which I’m going to summarize below.

(more…)

Posted in open source, security | 2 Comments »

OpenID conquers communities

Sunday, May 11th, 2008

OpenID logoOn May 8th, Ross Turk posted on the SourceForge.net community blog: Hey! So I’ll just blurt it out: we’ve joined the OpenID Foundation!. As Ross confirms, OpenID use is becoming very popular, means users like the idea of decentralized, free and open standard that lets users control the amount of personal information they provide.

In the initial announcement about the OpenID idea, SF.net stuff revealed they use OpenID implementation from Zend Framework - Open Source Software (oh yeah!) available under BSD License.

Recently, I’ve noticed that Chris brought the idea of OpenID to OSGeo year ago and setup necessary infrastructure, so OSGeo userid can be used as an openid.

I tried today to use OpenID capabilities of OSGeo User ID, but without any luck. It seems like the service has been disabled or moved without update in docs. Anyway, I hope we are going to keep it running. Hmm, it’s unclear to me if the OSGeo User ID is supposed to work as an OpenID and allow OSGeo users to authenticate to external non-OSGeo services with it, like to SourceForge.net. Is it?.

I’m wondering if it would be reasonable and beneficial the OSGeo Foundation participates in activities lead by the OpenID Foundation. What about joining the OpenID Foundation as a non-profit organization?

Posted in open source, osgeo, security | 2 Comments »