<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>OpenID provider announcement</title> </head> <body> <p>Dear readers,</p> <p>I am proud to present the <strong>alpha version</strong> of our new</p> <h1>OpenID provider</h1> <p>You can try it out at <a href="https://ssl-test.sugarlabs.org/">https://ssl-test.sugarlabs.org/</a>.</p> <h2>What is it good for?</h2> <p>It enables you to log in to any OpenID enabled site without having to remember a password. Just enter your OpenID identifier (e.g. <a href="https://ssl-test.sugarlabs.org/id/Sascha_Silbe">https://ssl-test.sugarlabs.org/id/Sascha_Silbe</a> or <a href="https://sascha.silbe.org/">https://sascha.silbe.org/</a>) and you'll get logged in.</p> <p>It also demonstrates some parts of how I envision <a href="http://en.wikipedia.org/wiki/Single_sign-on">Single Sign On</a> to work on the Sugar Labs services in the future.</p> <h2>What should you be aware of?</h2> <p>Neither the code nor the specific SSO scheme it's based on have been audited by anyone (else) yet. While I took measures to protect the OpenID provider against <a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">CSRF</a> attacks, they might be insufficient or incorrectly implemented. There's also a chance that the fully automatic login makes additional attack vectors practical.</p> <p><strong>Please do NOT use it to log into accounts you consider valuable, precious or otherwise important.</strong> It's just a demo; even the URL will change in the future.</p> <p>I've focused on the technology for now, so <strong>the UI is still rather rough</strong> (patches welcome).</p> <h2>What works?</h2> <ul> <li>Creating a client certificate if the browser does not have one installed yet (not necessary for Browse with the SSO patch applied)</li> <li>Registering</li> <li>Adding keys to an existing account (i.e. use the same OpenID identifier from several browsers and/or computers)</li> <li><a href="http://openid.net/specs/openid-authentication-1_1.html#delegating_authentication">Delegated identities</a> (i.e. you can use the URL of your web site or blog as your OpenID identifier if you include a specific HTML fragment on the page)</li> </ul> <h2>What does not work yet or is still missing?</h2> <ul> <li>Several browsers have known quirks that require mutually exclusive workarounds on the server side if <a href="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS SNI</a> is used. Until we move the OpenID provider to a separate IP address (so that we don't need SNI), some browsers (e.g. <a href="https://bugzilla.gnome.org/show_bug.cgi?id=581342#c17">Epiphany</a>) will fail to connect.</li> <li>The server certificate is issued by CAcert.org which isn't included in many browsers. A scary SSL warning will pop up for those.</li> <li>account recovery and change notifications via email are unsupported</li> <li>only a single OpenID identifier per user/account is supported (privacy concerns)</li> <li><a href="http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html">PAPE</a> support is missing</li> <li>most <a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html">SREG</a> properties are not supported</li> <li><a href="http://openid.net/specs/openid-attribute-exchange-1_0.html">generic attributes</a> support is missing</li> </ul> <h2>What can YOU do to help?</h2> <ul> <li>Try it out!</li> <li>Do a security audit.</li> <li>Write explanatory text for the UI.</li> <li>Do a <a href="https://git.sugarlabs.org/identity-aggregator/identity-aggregator">code</a> review.</li> <li>Provide any other kind of constructive feedback.</li> </ul> </body> </html>