My good friend Kim Cameron posted the following misinformation on OpenID:
InfoCards change the current model in which the user can be controlled by an evil site. OpenID doesn’t.
if a user ends up at an evil site today, it can pose as a good site known to the user by scooping the good site’s skin so the user is fooled into entering her username and passord.
An evil site proxying a web based OpenID Provider is a known security threat in OpenID. There are a number of ways of thwarting this attack, and given that the user has a close relationship with their OP, not difficult to deploy. Similar to the advantages that CardSpace has with a client side implementation, Sxipper is a Firefox plug-in that provides an OpenID user with the same client side protections as CardSpace. OpenID is a protocol, similar at a high level to WS-* — so this is somewhat of an apples an oranges comparison. CardSpace could support OpenID and protect the user.
I’d like to see OpenID and InfoCard technologies come together more. I’ll be presenting a plan for that over the next little while.
I’m looking forward to seeing your thoughts Kim! Perhaps supporting OpenID in Cardspace?
I could imagine a plugin to check that the uri for "myopenid.com" matches a page proporting to be "myopenid.com" and not "evilsite.tld" – BTW, why can’t I comment on your blog using my OpenID?
A plugin can easily solve the phishing problem.
As pointed out, I don’t se that this problem (that Kim Cameron is describing) is related to OpenID as a standard. It’s rather a problem that the federated community in general will encounter.
I think there is a lot of responsibility for the different identity providers to protect and provide the services that safeguards the users.
It’s more of a problem that users will use or choose “bad” or “poor” identity providers rather then going to the bad sites.
I don’t se that this problem (that Kim Cameron is describing) is related to OpenID as a standard. It’s rather a problem that the identity and federation community in general will encounter.
I think there is a lot of responsibility for the different identity providers to protect and provide the services that safeguards the users.
It’s more of a problem that users will use or choose “bad” or “poor” identity providers rather then going to the bad sites.
It seems like some vendors are making identity management a question about which OS to use…
I think the man got a point, but I also think a plugin can solve the problem.
Email is like Open ID if everytime you had an account you immediately forgot the password, and used the password retrieval/reset function linked to your email. Which is inefficient, but not an uncommon way to deal with peripheral user accounts. I often do the "try to sign up, realize my email is taken thus I have an account, do the forgotten username/password" routine with minor accounts. In that situation access to my email — by whatever authentication means my email account is protected, which has nothing to do with the site in question — is my ultimately my identification. It’s not secure with respect to various kinds of sniffing, but otherwise it’s a very similar model to Open ID.
Janet Kellman, software reviews
in many ways I agree … email is a slow version of OpenID
As for me ,I don’t think OpenID is so convenient and safe as you think.I’ve once spent 6 hours to create new accounts in 3 web pages.Besides,I heard that it had hidden dangers.Could it prevent "Net Fishing" ? Absolutely no.
OpenID just solves the identity problem, not the trust problem. When a user authenticates with OpenID, what they are doing is stating “I have the ability to prove my ownership of this URL”.