<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>OpenID provider announcement</title>
</head>
<body>
<p>Dear readers,</p>
<p>I am proud to present the <strong>alpha version</strong> of our new</p>
<h1>OpenID provider</h1>
<p>You can try it out at <a href="https://ssl-test.sugarlabs.org/">https://ssl-test.sugarlabs.org/</a>.</p>
<h2>What is it good for?</h2>
<p>It enables you to log in to any OpenID enabled site without having to
remember a password. Just enter your OpenID identifier (e.g.
<a href="https://ssl-test.sugarlabs.org/id/Sascha_Silbe">https://ssl-test.sugarlabs.org/id/Sascha_Silbe</a> or
<a href="https://sascha.silbe.org/">https://sascha.silbe.org/</a>) and you'll get logged in.</p>
<p>It also demonstrates some parts of how I envision
<a href="http://en.wikipedia.org/wiki/Single_sign-on">Single Sign On</a> to work
on the Sugar Labs services in the future.</p>
<h2>What should you be aware of?</h2>
<p>Neither the code nor the specific SSO scheme it's based on have been
audited by anyone (else) yet. While I took measures to protect the
OpenID provider against
<a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF</a> attacks,
they might be insufficient or incorrectly implemented. There's also a
chance that the fully automatic login makes additional attack vectors
practical.</p>
<p><strong>Please do NOT use it to log into accounts you consider valuable,
precious or otherwise important.</strong>
It's just a demo; even the URL will change in the future.</p>
<p>I've focused on the technology for now, so <strong>the UI is still rather
rough</strong> (patches welcome).</p>
<h2>What works?</h2>
<ul>
<li>Creating a client certificate if the browser does not have one
installed yet (not necessary for Browse with the SSO patch applied)</li>
<li>Registering</li>
<li>Adding keys to an existing account (i.e. use the same OpenID identifier
from several browsers and/or computers)</li>
<li><a href="http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication">Delegated identities</a>
(i.e. you can use the URL of your web site or blog as your OpenID
identifier if you include a specific HTML fragment on the page)</li>
</ul>
<h2>What does not work yet or is still missing?</h2>
<ul>
<li>Several browsers have known quirks that require mutually exclusive
workarounds on the server side if
<a href="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS SNI</a> is
used. Until we move the OpenID provider to a separate IP address (so
that we don't need SNI), some browsers (e.g.
<a href="https://bugzilla.gnome.org/show_bug.cgi?id=581342#c17">Epiphany</a>)
will fail to connect.</li>
<li>The server certificate is issued by CAcert.org which isn't included
in many browsers. A scary SSL warning will pop up for those.</li>
<li>account recovery and change notifications via email are unsupported</li>
<li>only a single OpenID identifier per user/account is supported (privacy
concerns)</li>
<li><a href="http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html">PAPE</a>
support is missing</li>
<li>most
<a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html">SREG</a>
properties are not supported</li>
<li><a href="http://openid.net/specs/openid-attribute-exchange-1_0.html">generic attributes</a>
support is missing</li>
</ul>
<h2>What can YOU do to help?</h2>
<ul>
<li>Try it out!</li>
<li>Do a security audit.</li>
<li>Write explanatory text for the UI.</li>
<li>Do a <a href="https://git.sugarlabs.org/identity-aggregator/identity-aggregator">code</a>
review.</li>
<li>Provide any other kind of constructive feedback.</li>
</ul>
</body>
</html>