Comment 20 for bug 1169

On Wed, Sep 12, 2007 at 09:31:38PM -0000, Kevin Turner wrote:
> "And I don't see much benefit in having launchpad accept openids from
> other providers since the security exposure can be pretty big."
>
> What does this mean? I've read Stefan's article, I'm familiar with the
> issues, I want to know what "security exposure" you are concerned with
> in the Launchpad application in particular. I'm a little confused,
> because you start your comment by saying it would be "helpful for
> relatively low-risk sites like bug trackers", and my primary use of
> Launchpad so far has been as a bug tracker.

Ahh - yes that would be a common experience - thanks for the feedback.

But launchpad can be used for far more than bug tracking - e.g. users
can register new pgp and ssh keys to be used for software
modifications, which I assume could lead to trojan software being made
available in repositories. Administrators can change the membership
of security-related teams, and there are probably other similar
exposures (I'm no launchpad expert though....)

Any site that accepts openids needs a policy and method for deciding
which openid providers to trust for what. In the use case I'm most
interested in it is easy - I can configure my own loco team's web site
to only trust launchpad for openid.

Even for bug tracking you want to know if you can trust the email
address, so you can reliably send bug updates without being accused of
spamming. Otherwise what is to prevent someone from authenticating
with a fake openid and spamming their favorite target?

Is there a reliable trust clearinghouse for openid providers? Where
e.g. launchpad could do some lookups and determine if the provider
could be trusted to provide reliable email addresses from folks who
wouldn't spam the bug reports? I suppose in that case launchpad could
allow users with openids to do low-risk stuff, but that would increase
complexity and thus risk significantly, I bet.