[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenID, UserID + passphrase, GPG, ...

From: Davi Leal
Subject: Re: OpenID, UserID + passphrase, GPG, ...
Date: Thu, 10 Jul 2008 20:49:44 +0200
User-agent: KMail/1.9.7

Antenore Gatta wrote:
> I wouldn't like to reach an agreement about OpenID just because of numbers,
> but because of understanding, me an MJ we could be wrong, you as well, so
> is needed to discuss and reach an agreement all together in these cases.
> The wrong decision could compromise the project...

You are right. Let discuss a little more...

IMHO OpenID is more usable but its security is weaker than UserID + passphase 
just because you delegate authentication on an external system which can have 
its own security risks, etc.

We can assume OpenID is less secure than local user/password, as it is. So we 
can set the level of access/grant according to the log-in method used, and 
ask for a higher level authentication if the user want to realize a more 
critic operation as read-bank-status(medium), transfer-money(critic), ...

So, maybe, we could authorize only some operation when users are logged via 
OpenID. That is to say, we can have:

  * several authentication mechanisms,
    and define the security level which each one offers, and

  * an operation catalog,
    which lists the security level requirements to get authorization for
    realizing each operation.

That is how my actual bank account works. My bank uses:
  * To log in: UserID + passphrase, and a card with a matrix of numbers,
    via HTTPS.
  * To transfer money: an additional special passphrase is required.
And even so, it is know it has been broken and lot of money lost. I think
the final solution is said to be something similar to GPG.

We could use the OpenID support to make it easier to register at GNU Herds. 
Just a click and go avoiding the current process.

We could define the OpenID security level to allow only:
    * create account
    * access account
    * modify account: job offers, pledges, etc.
and require the current gnuherds password, (and maybe other security 
measures), to realize bank operations.

Maybe we could add GPG keys to the authentication method pool.

Antenore, if you can and want, you could follow thinking about how to 
integrate bank support (bank to use, design and libs to carry out the 
implementation) according to the functionality we are going to develop.

The project is not in a hurry.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]