Peter Palfrader wrote:
As openid provides no security whatsoever there's probably not a big chance of us (as in DSA) hopping onto the openid hype any time soon.
openid could be secure - e.g. by enforcing https everywhere, always checking the remote certificate properly, never using passwords for authentication, etc.
Unfortunately, none of these apply to the implementations I have seen (although my openid provider does at least allow for x509 certificate authentication instead of password passed authentication).
There was a good article at <http://idcorner.org/2007/08/22/the-problems-with-openid/>, unfortunately the domain appears to be off-line now, and the archive at <http://web.archive.org/web/20080208023407/http://idcorner.org/2007/08/22/the-problems-with-openid/> is difficult to read due to bad formatting.
-- Brian May <brian@microcomaustralia.com.au>