[Server-devel] OpenID - status?
martin.langhoff at gmail.com
Tue Jul 10 16:34:20 EDT 2007
On 7/11/07, Ivan Krstić <ivan at laptop.org> wrote:
> On Jul 10, 2007, at 9:37 AM, C. Scott Ananian wrote:
> > As I understand the BitFrost specification, OpenID is only used to
> > extend the local authentication mechanisms (XO-to-school server) to
> > the outside world (Google backups, etc).
> > The actual authentication of XOs and users is done by us outside
> > OpenID. So the DNS weakness and MiM attacks are only valid outside
> > our scope.
> That's correct. OpenID, in a vacuum, is a fine mechanism. It's the
> way people are doing authentication to their OpenID IDPs on the wider
> Internet that's problematic and dangerous; we can generally avoid the
> issues entirely by authenticating transparently to the school server
> in the background.
in that scope, are there any plans as to where the IDP resides? School
If it is the school server, it'd be reasonable to teach moodle to be
an IDP. If not, I won't hurry on that side. (Though that still
leavesus with the issue of authenticating the user transparently to
moodle on the school server in the first place)
More information about the Server-devel