PUBLIC MARKS with tags openid & security

OAuth, OpenID…they sound like the same thing and they kind of do vaguely similar things But I’m here to tell you, OAuth is not Open ID. They have a different purpose. I’ve been playing around with OAuth a bit in the past couple weeks and have a grip on what it’s aiming to do and what it’s not aiming to do. To start with, here’s what OAuth does have in common with Open ID

"The YubiKey is a new, simple and secure authentication solution. With a simple click on the YubiKey button, your identity and a unique password is sent every time you use it. The device connects to the USB port, fits in your wallet and works on all platforms and browsers, without the need of any client software. Together with the Yubico back-end integration platform, we enable quick and easy integration with any online service."

OpenID is a web-based, distributed authentication protocol set to become a standard way of signing in to websites. OpenID enables you to keep control over your own identity by separating identity 'providers' and 'consumers'. You register your 'identity' or 'account' at a single OpenID provider and then you have instant access to a vast array of service providers that are OpenID consumers. However, with great power comes great responsibility. OpenID is highly susceptible to phishing attacks unless proper counter-measures are taken by the providers. We will demonstrate how to do a very simple phishing attack that already works for most OpenID providers. We will also give some possible (non-)solutions to the problem.

Wouldn’t it be great if you could use the same account to log in to multiple sites and applications, without having to trust them all with your password? Wouldn’t it be even better if you could do this without having to hand ownership of your online identity over to some monolithic third party? (I’m looking at you, .NET Passport Microsoft Passport Windows Live ID.) The good news is, you can! OpenID is a decentralised authentication system invented by LiveJournal but now being developed as an open standard under the careful mentorship of the Apache Software Foundation. Anyone can create an OpenID, and the number of sites which let you log in with one is growing by the day.

Traduction d'un Billet original de Simon Willison. Seul le lien original fait référence

Traduction d'un Billet original de Simon Willison.

OpenID is a distributed identity system.