2009-01-30 08:55 | 
yuri
Yuri Takhteyev < <yuri at sims.berkeley.edu>
I've come across what appears to be the world's first publicly advertised Sputnik job - for integrating Sputnik with OpenID. http://hephoo.notlong.com So, first of all, let me welcome the emergence of the global Sputnik job market. :) Second, I have no idea who the buyer is and what their project is about, but perhaps they'll consider donating the code to the project. OpenID would be a great addition to Sputnik, and I would be happy to acknowledge the donation, maintain the plugin and help with advice. - yuri -- http://spu.tnik.org/ _______________________________________________ Sputnik-list mailing list Sputnik-list@lists.luaforge.net http://lists.luaforge.net/cgi-bin/mailman/listinfo/sputnik-list
2009-01-30 08:55 | 
dm.lua
David Manura < <dm.lua at math2.org>
On Mon, Jan 26, 2009 at 1:36 AM, Yuri Takhteyev wrote:
> OpenID would be a great addition to Sputnik
Perhaps. Still, I think it has some fundamental issues that require caution:
http://self-issued.info/?p=73
http://webworkerdaily.com/2008/05/21/openid-a-contrarian-view/
E.g. relying on an untrusted site to redirect the user to their master
login page strikes me as regressive.
_______________________________________________
Sputnik-list mailing list
Sputnik-list@lists.luaforge.net
http://lists.luaforge.net/cgi-bin/mailman/listinfo/sputnik-list
2009-01-30 08:55 | yuri
Yuri Takhteyev < <yuri at sims.berkeley.edu>
> E.g. relying on an untrusted site to redirect the user to their master > login page strikes me as regressive. True. If someone decided to use Sputnik to implement a web interface for a bank, I would probably advise them against using OpenID. :) Doing OpenID authentication for non-admin access to a wiki, however, probably wouldn't keep me up at night. Also, the security of OpenID depends on the steps the provider takes to prevent phishing. Some providers are better than others. There are now OpenID providers that use customized image (Yahoo!), hardware tokens (Verisign), or browser certificates (certifi.ca). Some can be configured to call your cell phone as a part of the login (myopenid.com). If the consumer can be configured to only accept logins from trusted providers, then OpenID could be _more_ secure than most site's authentication. - yuri -- http://spu.tnik.org/ _______________________________________________ Sputnik-list mailing list Sputnik-list@lists.luaforge.net http://lists.luaforge.net/cgi-bin/mailman/listinfo/sputnik-list