Peter Palfrader wrote: > As openid provides no security whatsoever there's probably not a big > chance of us (as in DSA) hopping onto the openid hype any time soon. >
openid could be secure - e.g. by enforcing https everywhere, always checking the remote certificate properly, never using passwords for authentication, etc. Unfortunately, none of these apply to the implementations I have seen (although my openid provider does at least allow for x509 certificate authentication instead of password passed authentication). There was a good article at <http://idcorner.org/2007/08/22/the-problems-with-openid/>, unfortunately the domain appears to be off-line now, and the archive at <http://web.archive.org/web/20080208023407/http://idcorner.org/2007/08/22/the-problems-with-openid/> is difficult to read due to bad formatting. -- Brian May <[email protected]> _______________________________________________ Debtags-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/debtags-devel

