September 21st 2008
Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well - I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities. Continue Reading »
September 20th 2008
It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account. She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.
Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones. Continue Reading »
September 18th 2008
These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.
There are four patterns: local, direct, indirect, and off-line.
August 17th 2008
Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for “works every time” OpenID delegation with their free PIP service. First, what is OpenID delegation?
Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.