Antranig, First, let me first say that I used to be an OpenID proponent, however after speaking with IBM corporate security experts I changed my mind. Although these (those you list) more consumer facing companies support it large enterprises do not. We need to have user preferences available to corporate web sites, libraries, etc. What is extremely important to me is that users be able to use GPII to improve their prospects for employment.
As I stated, what I would prefer is the HTML 5 local data storage approach with a browser add on. This plug-in would also synch up with GPII when a preference store is available. For this: - A user has full control over who accesses the preferences - Preferences can be accessed by web applications directly from HTML 5 constructs - A user can configure preferences locally in their browser Here are some pointers to security and privacy issues: 1, http://en.wikipedia.org/wiki/OpenID#Security_and_phishing The man in the middle issue is very real. 2. http://serverfault.com/questions/7005/is-there-a-danger-in-fake-openid-providers You also have competing proprietary solutions from other vendors making the question of what identify broker mechanism should be used problematic: http://www.insecureaboutsecurity.com/tag/openid/ 3. http://keystoneisit.blogspot.com/2007/03/5-reasons-openid-is-not-for-me.html Personally, I have a concern of delivering too much of my private data into the hands of a commercial business. Google is really an advertising company who make use of your private data for reasons not intended by the user. So, the fact that a company Google supports OpenID is not necessarily a plus. As for Yahoo I have concerns too. I wonder who will end up owning them going forward and where my personal data would end up. What this is saying is I would prefer to have greater control over my user preferences by controlling and manipulating them locally. The security lead I used to know for IBM software has left the company. What I will do is find out who the new security czar is and see if he has more details about the Open Id security issues. Rich Schwerdtfeger CTO Accessibility Software Group From: Antranig Basman <[email protected]> To: Richard Schwerdtfeger/Austin/i...@ibmus Cc: Colin Clark <[email protected]>, Fluid Work <[email protected]>, Gregg Vanderheiden <[email protected]> Date: 01/04/2011 09:09 AM Subject: Re: UI Options and user preferences stored locally On 04/01/2011 07:59, Richard Schwerdtfeger wrote: > > In the new year, Antranig and the UI Options team are planning to > > start work on cloud-based user preferences storage. The plan is to > > create a reference implementation of a user preferences server > > integrated with OpenID. I know that you have some concerns about > > OpenID, but I think it offers the only reasonable starting place for > > being able to demonstrate widely-supported cloud based user > > authentication. From there, we can talk further about how we might > > want to production-harden the implementation. > > > > As I mentioned to Antranig, I am not a fan of OpenID. It has had very little industry uptake and is subject > to phishing via masquerading brokers. Last I spoke to IBM security experts they did not support it for this > reason. > > I have concerns about using it just to "demonstrate" that we can provide preferences to an application. We > could do that now with web services. I can't support OpenID as a strategy for GPII. Thanks for voicing these concerns, Richard. We do need to make practical progress on this front, however. Could you suggest an alternative technology to OpenID that has some level of public currency as a standard and implementation? You mention that OpenID has "very little industry uptake" but as far as I am aware, any alternatives have even less. OpenID has at least been taken up by the likes of Google, Yahoo, Paypal, and the BBC. Also, I'd be grateful if you could provide some links to analysis of the security deficiencies of OpenID so that we can understand them better, and also, which we could perhaps use to base any evaluation of a replacement standard. Many thanks, Antranig.
<<inline: graycol.gif>>
_______________________________________________________ fluid-work mailing list - [email protected] To unsubscribe, change settings or access archives, see http://fluidproject.org/mailman/listinfo/fluid-work
