Comments on: Don’t Make Your Blog an OpenID Provider

By: ahockley

ahockley — Fri, 05 Dec 2008 04:50:12 +0000

That's a good point Al… if one has weak security on their blog, someone could potentially hijack that redirect and point it to another OpenID provider. Just another factor for consideration.

By: Al Briggs

Al Briggs — Thu, 04 Dec 2008 09:41:21 +0000

A good post to make people consider if they really want to entrust their identity to the security of their blog – made me reconsider my plans.

Do you perhaps end it by contradicting yourself – if I enable openId delegation on my personal blog – surely the same security consdierations come into play – does it matter if I use verisign if someone can hack into my blog and redirect to another openId provider to validate me?

By: Adron Hall

Adron Hall — Mon, 20 Oct 2008 02:42:14 +0000

But wait, I was about to go to OpenID for everything! Actually no, all my secure stuff is staying with the original, slightly more seriously secure, security apparatusii.

But I look forward to locking down my OpenID stuff even better over the next few weeks and enabling my ID to work with more and more of my sites, sites I use, and other such.

Especially since, I always want your feedback on my articles and you won’t use stuff that doesn’t use Open ID! argh!

By: Will Norris

Will Norris — Wed, 08 Oct 2008 03:04:50 +0000

Aaron, I couldn’t agree more. I strongly believe it is important for an individual to have the ability to run their own OpenID provider, if they so choose. Having near zero barrier to entry is one of the things that makes OpenID great. That being said, I think some of the OpenID providers that are available today (especially the three you mentioned, along with some of the newer ones using Yubikey) have much better security than WordPress currently does. I could certainly put all my money under my mattress and rest assured that I have complete control over it, but for now I find putting it in a bank a better option.