[Sugar-devel] [sugar] XO identity shared via Browse

[Ivan Krstić]

On Dec 4, 2008, at 4:59 PM, Sebastian Silva wrote:
> I looked this up. Actually, his only argument that I could find it
> suposedly makes phishing easier. I must really disagree.

Can we please not duke out the issues with OpenID on this particular  
list? Go argue with Kim Cameron at <http://idcorner.org/2007/08/22/the-problems-with-openid/ 
 > or something.

I originally envisioned a potential use for OpenID within the XO  
security model in minimizing the number of passwords that needed to be  
remembered by the kids. I was thinking of strong, automatic OOB  
authentication to the IdP on the XS as a slightly lesser evil than a  
browser plugin storing the passwords, as the latter is potentially  
harder to back up, restore, etc. But I've come around since then -- an  
XS IdP will probably mean people expect to be able to use their OpenID  
from anywhere, including e.g. internet cafe machines that are not  
their XOs, in which case the strong OOB authentication to the IdP  
would be absent, thus we're back down to a password, thus we go down  
the rabbit hole of stupidity that I was trying to avoid in the first  
place.

For authenticating the XO to just the XS, OpenID seems downright  
idiotic, and I'm actually in disbelief about hearing genuine  
suggestions for OpenID over Jabber. Or, in fact, anything else over  
Jabber. For those just tuning in, the whole story of Jabber on the XO  
has basically been colorfully fucked, as has that of the entire  
collaboration stack. I suggest further proposals of actually using  
Jabber for anything wait until the basic XO implementation gets to the  
point where IRC was 20 years ago -- namely, working.

--
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org