Comment 22 for bug 1169
Revision history for this message
| Sami Haahtinen (ressu) wrote Re: [Bug 1169] on OpenID provider clearinghouses | #22 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
On Wed, 2007-09-12 at 23:21 +0000, Kevin Turner wrote:
> I'd argue against relying on a clearinghouse for OpenID providers. You
> trust the developer to manage their SSH key and their GPG keys, why not
> trust that they have sane management practices for their OpenID as well?
I agree here.
In the end the people who have PGP keys already know about security and
are quite aware of phishing. Even more so are the people who actually
know about SSH keys and how to manage those.
Everyone can get bitten by security and each and every system is
vulnerable to some sort of attack, especially to social attacks. We
shouldn't discriminate a system because the users can make mistakes.
Even still i see the problem with PGP and SSH keys. Maybe something like
a low security / high security model could be established. You can log
in to low security mode with your OpenID where you are unable to add SSH
and PGP keys or modify e-mail addresses (possibly not be able to edit
user details at all) but you would be able to file bugs and otherwise
work with launchpad. For high security mode you would still have to log
in with a password.
That would still bring some the benefits of both worlds.
- s
--
Sami Haahtinen <email address hidden>