On 04/01/2011 07:59, Richard Schwerdtfeger wrote:
> In the new year, Antranig and the UI Options team are planning to
> start work on cloud-based user preferences storage. The plan is to
> create a reference implementation of a user preferences server
> integrated with OpenID. I know that you have some concerns about
> OpenID, but I think it offers the only reasonable starting place for
> being able to demonstrate widely-supported cloud based user
> authentication. From there, we can talk further about how we might
> want to production-harden the implementation.
>
As I mentioned to Antranig, I am not a fan of OpenID. It has had very little
industry uptake and is subject
to phishing via masquerading brokers. Last I spoke to IBM security experts they
did not support it for this
reason.
I have concerns about using it just to "demonstrate" that we can provide
preferences to an application. We
could do that now with web services. I can't support OpenID as a strategy for
GPII.
Thanks for voicing these concerns, Richard. We do need to make practical progress on this front, however.
Could you suggest an alternative technology to OpenID that has some level of public currency as a standard
and implementation? You mention that OpenID has "very little industry uptake" but as far as I am aware, any
alternatives have even less. OpenID has at least been taken up by the likes of Google, Yahoo, Paypal, and
the BBC. Also, I'd be grateful if you could provide some links to analysis of the security deficiencies of
OpenID so that we can understand them better, and also, which we could perhaps use to base any evaluation of
a replacement standard.
Many thanks,
Antranig.
_______________________________________________________
fluid-work mailing list - [email protected]
To unsubscribe, change settings or access archives,
see http://fluidproject.org/mailman/listinfo/fluid-work
