Site Sponsor:

mcafee_logo.gif
line

Now Available:

Featured Resource:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Dan or post a comment to the blog.

« Free Web Filter Gets Better | Main | Google, Healthcare Records, and Big Brother »

OpenID Not Perfect but Better Than Common Practices

Companies are jumping on the OpenID bandwagon faster than others are dumping HD DVD. I've never been a big fan of OpenID because I'm worried about centralization of authentication data. Paul Ferguson argues against it too in his blog and while I agree with him for the most part I am starting to change my mind. It's not that OpenID is a pancea for authentication, it's just that its better than what most people do today.

If people reuse the same id and password across multiple sites, then cracking one site gives an attacker access to all of their online accounts. Of course not everyone does this and even those who do may not do it for all their accounts but its probably done enough that we have a de facto distributed repository of replicated authentication data - and that is worse than a single logical repository managed by someone that specializes in protecting identifying information.

Larry Seltzer at eWeek , for example, is willing to trust a vendor like Verisign with his OpenID data:

I wouldn't trust just any OpenID provider, but I would trust, for example, VeriSign, which has been in the OpenID provider business from the very early days. VeriSign is high on it, and (for what it's worth) the company even goes to the trouble of putting an EV SSL certificate on the site. Why do I trust VeriSign? I don't know, call me naive, but it runs trusted authentication infrastructure for very big businesses.

In theory I don't like OpenID but in theory we all know how to securely manage authentication information. As someone once said, in theory there is no difference between theory and practice but in practice there is.

Tags:            
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Dan Sullivan on February 20, 2008 12:51 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-websecurity.com/type/mt-tb.cgi/640

Comments

OpenID is good, I just don't like the idea of logging in with a URL. Plus I think it's better when there is a "central hub" of information.

I think solutions like Aliixer LoginShare are actually better.

Check it out here: http://www.aliixer.com/share/

Posted by: Marcus | August 5, 2008 2:31 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Latest White Papers

line

Blog Roll

line

Dan Sullivan's Bio:

Dan Sullivan is a systems architect with 20 years of IT experience that includes engagements in enterprise security, application design, and systems architecture. His experience includes a broad range of industries, including financial services, manufacturing, government, retail, gas and oil production, power generation, and education. Dan’s security-related project work has ranged from requirements analysis for enterprise information security to designing and implementing security for database applications and enterprise portals. Dan has written about information security and other enterprise information management topics for Business Security Advisor, DM Review, Intelligent Enterprise, and E-Business Advisor. You can contact Dan at: dan_sullivan@realtimepublishers.net