Friday, February 08, 2008

OpenID: Saviour or Fraud?

I don't usually try to be as controversial as this may first appear, but given all of the hoopla over OpenID lately, I'm more than a little alarmed.

Password management has long been the subject of discussion in the security community, and rightly so -- it is important.

It remains the primary "credential" for access to "protected" data. Your data.

Personally, I use RoboForm (in the USB variety) to protect my various passwords, and I use -- what I would consider -- strong passwords: randomized text and numeric values that ensure that they have relatively low chances of being brute-force dictionary cracked.

I highly recommend RoboForm, and by the way, I have no affiliation other than being a satisfied customer. I love it.

Back to OpenID.

What really bothers me (scares me?) about this proposal is the centralized management of access control to your data.

Centralized "management" is bad, when it comes to your sensitive personal data.

Why?

Because it can be mismanaged, improperly secured, or secretly divulged to third-parties without your knowledge.

Do you really trust some "trusted" organization with your access control data? Would you give the key of your home to the Post Office (probably a bad example, but you get the idea)?

This just strikes me as a stunningly bad idea all around, regardless of what the popular trade press and it's proponents suggest.

Just a couple of thoughts.

I won't be using it. I don't trust the "powers" in charge of it to "do the right thing".

It makes it easier for the vendors, at the detriment & risk of the consumer.

Most of these vendors have already shown that they cannot be trusted with your personal data.

Until there is a double-blind, cryptographically strong method for password management, forget about it.


- ferg

2 Comments:

At Sat Feb 09, 12:04:00 AM PST, Anonymous Anonymous said...

Why not run your own OpenID server then? You can make it as secure as you like and you can afford ;-)

P.S. I probably would not have commented on your blog had it not been OpenID-enabled.

 
At Sat Feb 09, 12:13:00 AM PST, Blogger Fergie said...

jernst:

It's all about choice, yes?

I will never use a centralized "ID" system. Ever.

Good luck, Mon Ami.

- ferg

 

Post a Comment

<< Home