Andrew Wiedemann

My feedback

  1. 194 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    36 comments  ·  Ideas  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Andrew Wiedemann commented  · 

    (I wasn't logged in when I posted this topic)

  2. 6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Ideas  ·  Flag idea as inappropriate…  ·  Admin →
    An error occurred while saving the comment
    Andrew Wiedemann commented  · 

    If a user remembers their OpenID provider this is no problem because the provider's site should have these features. However because the system is decentralized and potentially thousands of small ID providers will exist it is difficult to imagine a system to retrieve the users provider name. Presumably OpenID identities will be central enough to users online activity that it will be nearly impossible to forget.

  3. 310 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    97 comments  ·  Ideas  ·  Flag idea as inappropriate…  ·  Admin →

    That’s a great idea. It’s certainly something that OPs and RPs should take into consideration.

    There is currently some conversations going on about an OpenID Security Best Practices document; while the spec shouldn’t mandate SSL, it certainly should present the case for supporting it, ideally in a best practices doc.

    An error occurred while saving the comment
    Andrew Wiedemann commented  · 

    I don't think SSL is an important aspect for OpenID enabled sites unless they are security crucial (in which case they are already using SSL). The OpenID implementation takes care of encryption during the authentication process. No new security threats exist post authentication when OpenID is used rather than a traditional username and password. The most important information that can be eavesdropped is the password associated with the OpenID account. This is transmitted to the OpenID provider not the OpenID enabled site. Therefore, it is much more useful for the ID provider to use SSL rather than the accepting site.

Feedback and Knowledge Base