Feb
7
IBM, Microsoft, Verisign, Google and Yahoo! have joined the OpenID board, as reported by CSO. OpenID allows a single registry of authentication credentials (login and password) to be used at all participating web sites.
Single registry systems have been around in corporate intranet environments for a while (Microsoft ActiveDirectory, IBM WebSphere IdentityManager, OpenLDAP, etc). They’re a nice tool for a centralized organization to manage user credentials.
The hazard of widespread adoption of such a system are twofold, I believe: a single set of credentials allow you to log in to a variety of sites. If I can compromise your password, then I gain access to all these sites. This may be no worse than today, if you use the same login and password for all the sites anyway, but it does make it more difficult for you to have different logins and passwords, should you so desire.
Secondly, and perhaps more subtle, if I compromise your password, can I register for new sites that support OpenID that you don’t even know about? This needs more looking into…
Comments
1 Comment »
Blogroll
- Ars Technica
- Dark Reading - IT Security
- Help Net Security
- InformIT
- SANS Internet Storm Center
- Schneier on Security - Dr. Bruce Schieier’s blog
- Security Info Watch
- What to Fix - Daniel Markham, fellow consultant
- Wired Gadget Lab
- Wordpress Documentation
- WordPress Planet
- Wordpress Support Forum
[…] blogged earlier about the addition of some large players to the OpenID board, which makes it an interesting […]