UI Options and user preferences stored locally

Richard Schwerdtfeger schwer at us.ibm.com
Tue Jan 4 21:52:00 UTC 2011


Antranig,

First, let me first say that I used to be an OpenID proponent, however
after speaking with IBM corporate security experts I changed my mind.
Although these (those you list) more consumer facing companies support it
large enterprises do not. We need to have user preferences available to
corporate web sites, libraries, etc. What is extremely important to me is
that users be able to use GPII to improve their prospects for employment.

As I stated, what I would prefer is the HTML 5 local data storage approach
with a browser add on. This plug-in would also synch up with GPII when a
preference store is available. For this:

- A user has full control over who accesses the preferences
- Preferences can be accessed by web applications directly from HTML 5
constructs
- A user can configure preferences locally in their browser


Here are some pointers to security and privacy issues:

1, http://en.wikipedia.org/wiki/OpenID#Security_and_phishing

The man in the middle issue is very real.

2.
http://serverfault.com/questions/7005/is-there-a-danger-in-fake-openid-providers

You also have competing proprietary solutions from other vendors making the
question of what identify broker mechanism should be used problematic:
http://www.insecureaboutsecurity.com/tag/openid/

3.
http://keystoneisit.blogspot.com/2007/03/5-reasons-openid-is-not-for-me.html

Personally, I have a concern of delivering too much of my private data into
the hands of a commercial business. Google is really an advertising company
who make use of your private data for reasons not intended by the user. So,
the fact that a company Google supports OpenID is not necessarily a plus.
As for Yahoo I have concerns too. I wonder who will end up owning them
going forward and where my personal data would end up. What this is saying
is I would prefer to have greater control over my user preferences by
controlling and manipulating them locally.

The security lead I used to know for IBM software has left the company.
What I will do is find out who the new security czar is and see if he has
more details about the Open Id security issues.

Rich Schwerdtfeger
CTO Accessibility Software Group



From:	Antranig Basman <antranig.basman at colorado.edu>
To:	Richard Schwerdtfeger/Austin/IBM at IBMUS
Cc:	Colin Clark <colinbdclark at gmail.com>, Fluid Work
            <fluid-work at fluidproject.org>, Gregg Vanderheiden
            <gv at trace.wisc.edu>
Date:	01/04/2011 09:09 AM
Subject:	Re: UI Options and user preferences stored locally



On 04/01/2011 07:59, Richard Schwerdtfeger wrote:

>  > In the new year, Antranig and the UI Options team are planning to
>  > start work on cloud-based user preferences storage. The plan is to
>  > create a reference implementation of a user preferences server
>  > integrated with OpenID. I know that you have some concerns about
>  > OpenID, but I think it offers the only reasonable starting place for
>  > being able to demonstrate widely-supported cloud based user
>  > authentication. From there, we can talk further about how we might
>  > want to production-harden the implementation.
>  >
>
> As I mentioned to Antranig, I am not a fan of OpenID. It has had very
little industry uptake and is subject
> to phishing via masquerading brokers. Last I spoke to IBM security
experts they did not support it for this
> reason.
>
> I have concerns about using it just to "demonstrate" that we can provide
preferences to an application. We
> could do that now with web services. I can't support OpenID as a strategy
for GPII.

Thanks for voicing these concerns, Richard. We do need to make practical
progress on this front, however.
Could you suggest an alternative technology to OpenID that has some level
of public currency as a standard
and implementation? You mention that OpenID has "very little industry
uptake" but as far as I am aware, any
alternatives have even less. OpenID has at least been taken up by the likes
of Google, Yahoo, Paypal, and
the BBC. Also, I'd be grateful if you could provide some links to analysis
of the security deficiencies of
OpenID so that we can understand them better, and also, which we could
perhaps use to base any evaluation of
a replacement standard.

Many thanks,
Antranig.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://fluidproject.org/pipermail/fluid-work/attachments/20110104/f82e349c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://fluidproject.org/pipermail/fluid-work/attachments/20110104/f82e349c/attachment.gif>


More information about the fluid-work mailing list