Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: OpenID and the web

from [baldr] Network Security [Permanent Link]
Subject: Re: OpenID and the web
Date: Thu, 27 Mar 2008 22:29:59 +0000 
Pete Jansson Thu, Mar 27, 2008 at 5:01 PM

Additionally, there would be nothing to prevent a user from having
multiple OpenIDs.  OpenID providers should have different levels of
service with different authentication strengths -- from
username/password to tokens, or whatever.  Then the user can use their
choice of OpenID with a particular account, making the choice based on
the strength of authentication vs. the risk of the account. (I'm not
sure if I really care whether someone gets my Slashdot comment
account, but I would care about them having my Amazon One-Click
account [if I weren't too paranoid to One-Click].)

I completly agree here openID as a protocol can support varying levels
of security including security tokens & pki.  currently most
implmentations are for services where as said above people dont really
care.  we accept that these services are not as secure as our bank.

personly i think openID is perfect for the use it provides.  with a
password system it isn't that secure, its online and gives access to
many accounts; however they are all accounts you dont care about.  if
it where a SSO for my banks i would expect to be using a certificate
but this wouldn't exclude openID.

Well thats my two pence...  As where on the subject i was curious what
people thought about shibboleth.  about 15 countries have adopted it
for either education or health* as an SSO to many online journals.
what do people feel are the security pros/cons here

*https://spaces.internet2.edu/display/SHIB/ShibbolethFederations

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web 
application security assessments should be considered a crucial phase in the 
development of any web application. What methodology should be followed? What 
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenID and the web, Pete Jansson
Next by Date:  Re: OpenID and the web, Jeremiah Cornelius
Previous by Thread:  Re: OpenID and the web, Pete Jansson
Next by Thread:  [Full-disclosure] Pangolin v1.2.590 - The best SQL injector you've ever seen, zwell
Indexes:  [Date] [Thread] [Top] [All Lists]