From: Jeremiah Cornelius (jeremiahnur.net)
Date: Thu Mar 27 2008 - 12:23:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I think that OpenID is concerned more with the problem of "Federating"
identity - which is corollary to SSO - but not necessarily the same Thing.

Microsoft tried web SSO with Passport. It was viewed as proprietary, and
requiring full trust in Microsoft. The new Microsoft effort is around
CardSpace, a WSsecurity - oriented framework and client API, extensible to
consume SAML, etc. This is a federation play, that can aggregate signon and
authorizations.

That the OpenID tent seems big enough to accommodate CardSpace is indication
that federation of ID is more than just SSO.

JC

--------------------------------------------------
From: "David Wall" <dwallyozons.com>
Sent: Thursday, March 27, 2008 8:30 AM
To: "Babu.N" <babunintoto.com>
Cc: "Eric Marden" <securityxentek.net>; <webappsecsecurityfocus.com>
Subject: Re: OpenID and the web

>
>> Yes, it is difficult to configure it for supporting sites.
>>
>> But it does save us from registering at multiple webistes & remembering
>> the passwords of each of them.
>
> Single sign-on only is truly useful if nearly all sites adopt it,
> unfortunately. After all, I have a Password Safe file that contains 225
> entries now (many are business-related, but many are for the various
> personal sites I'm registered at). If 25 sites adopt a common SSO, I'd
> still have 200 entries, meaning I'd still need/use Password Safe (or other
> password manager, which is really extremely useful and easy to use and
> allows me to effectively remember all passwords by only remembering one
> good pass phrase that never is shared with anybody).
> If they all adopted, then I wouldn't need it, which would be awesome, but
> seems unlikely to happen, and of course there are passwords I have to
> "remember" that are not for web sites.
>
> Also, isn't entering the pseudo-random numbers subject to MITM with replay
> attack? I've not researched it much, but in general you need to ID
> yourself and give the value, at which time the info used could be
> replayed.
> Also, those in control the ID databases have to be trusted that their
> employees/contractors/outsourcers won't somehow steal or otherwise lose
> control of the data, something we see all the time with sensitive
> financial and medical records. If you break my password at one site today
> (such as a data loss or other phishing scam, etc.), you don't get access
> to all my accounts like you would through SSO.
>
> Don't get me wrong, I like SSO in general, but I think "universal SSO" is
> extremely unlikely. There are control issues, liability issues, risk
> management issues and just plain old competitor cooperation issues.
>
> David
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire Methodologies & Tools for Web Application Security
> Assessment With the rapid rise in the number and types of security
> threats, web application security assessments should be considered a
> crucial phase in the development of any web application. What methodology
> should be followed? What tools can accelerate the assessment process?
> Download this Whitepaper today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]