[sugar] XO identity shared via Browse

[Sebastian Silva]

2008/12/4 Martin Langhoff <martin.langhoff at gmail.com>:

> So we are aiming for moderate security. Also note that OpenID is in
> the conversation, and that is _not_ a particularly secure protocol
> (see the archive, and the many _many_ very good posts from Ben Laurie
> here and on his blog on the matter). OpenID is somewhat standard
> though ;-)

Martin,
I looked this up. Actually, his only argument that I could find it
suposedly makes phishing easier. I must really disagree.

First, OpenID admittedly does not address this. Neither does email.
Its out of scope.
It is expected that browsers will warn about funky phishing attempts
(makes sense).
Of course Browse hiding the address does not help too much, except:

Second, and more importantly, if we do this right, his description of
the problem does not bite us because a child is already logged in by
the time he goes outside to the wild phishing monster filled world.
If the fake OpenID sends you to a fake user/pass page (weren't we
discussing passwordless?) - it should be suspicious since he'll know
he's already logged in.

Also, more importantly, if the login confirmation is done via the GUI
(and not a website), then the problem is gone (how can you fake a
sugar dialog from a website?).

The *correct* way to go, considering our lack of FQDN, is not DNS
magic as I supposed, but tunneling it thru our jabber collaboration
framework. Traversing NATs and all sort of stuff is what we have it
for. Lets use it. Its an extension to jabber protocol, XEP-0070, still
standards compliant, will send the login request to your client over
the chat framework. Great suggestion Ben!

If I missed other security cristicisms of OpenID that have some
substance, let me know, perhaps I'll open regional OpenID foundation
:-P

-- 
Sebastian Silva
Iniciativa FuenteLibre
http://blog.sebastiansilva.com/