On Thu, 29 May 2008, Jeremy Katz wrote:
Jeffrey Tadlock wrote:
> > The phishing problem isn't unique to OpenID.
>
> No, it isn't unique to OpenID - but it is certainly an area we should
> take into account before implementing OpenID.
>
> With all of that said - I like the OpenID idea. And we run other
> services that have potential exposure to security issues (ssh, just
> our normal FAS logins, etc) - but we do make efforts to protect those
> services to the best of our ability to reduce our risk.
... and we should actually look at using our SSL certs more for authentication
as opposed to requiring people to type their FAS password all over the place.
This is something I keep meaning to bring up but then having other stuff come
up instead.
Actually we have some SSL auth in place already though I'm not totally
sure the status of it. We haven't officially announced it I know that :)
ricky? toshio? any comments?
-Mike