Robin Wilton's esoterica

       
 
« Previous day (Sep 26, 2007) | Main | Next day (Sep 27, 2007) »

27 Sep · Thu 2007

Updated blogroll entry


Just a quick housekeeping note to let you know that the POSIWID site has moved, and I have updated its entry in the blogroll accordingly. The site is now here, and the feed for it is here. I'm not sure if they're having a house-warming, but do drop by and have a read anyway - it's worth it.

Posted by racingsnake @ 11:51 AM GMT+00:00

OpenID in practice... still not 100%


There have been some headlines in the last couple of days about Orange/FT's decision to offer OpenIDs. I headed over to the OpenID Directory Blog to read about it, and was minded to leave a comment. The blog post welcomes the entry of a major telco into this market, on the basis that the OpenIDs issued by Orange will imply a knowledge of the user's name, address and payment details.

My comment was - "not necessarily". More specifically: it depends on how Orange issue those OpenIDs, and what steps they take in the enrolment process to verify the claimed identity of the applicant. For instance, if I can get an OpenID on the basis of having an Orange pay-as-you-go SIM bought for cash, then it's quite possible that Orange would not know my real name, address, billing or payment details. I don't know, not being an Orange customer, whether that is the case.

So why am I saying all this here, instead of leaving a comment over there? Well, the OpenID Directory blog offers OpenID as one of the supported authentication mechanisms if you want to leave a comment, so I thought it would be appropriate to use my Sun OpenID to log in. After all, that has worked in the last day or two at a couple of other sites.

Unfortunately it still isn't working at the ODB, and the mechanics of the failure are interesting:

- on the ODB page, I enter the URI for my Sun OpenID;

- I am correctly redirected to that page, where I authenticate successfully;

- I am redirected back to the ODB site, where the ODB login page is displayed, inviting me to enter my ID and password. It also displays a message saying "Server denied check_authentication" (i.e. something discouraging but fairly meaningless).

Two things strike me about this:

- first, obviously, it's frustrating that I can't authenticate to this site, when I know my OpenID is working elsewhere;

- second, under the wrong circumstances, the flow exhibited by the ODB website would make for a very plausible phishing attack.

 



Posted by racingsnake @ 11:16 AM GMT+00:00 [ Comments [5] ]
 
 
 
 
 
« September 2007 »
MonTueWedThuFriSatSun
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
       
Today

unsubscribe from human rights abuse in the war on terror
Locations of visitors to this page
Such views as I express in this blog are based on my own opinions, experience and judgements. They do not necessarily represent the policy or views of my employer. It is not my intention to offend readers in any way. If you find anything on this blog offensive, please contact me in the first instance.
Robin Wilton
www.flickr.com

Links to recent entries

[RSS Newsfeed]

Valid XHTML or CSS?

[This is a Roller site]
Theme by Rowell Sotto.
What's this?
 
© racingsnake