On Tue, May 22, 2018 at 10:19:17PM -0400, Ding Yi Chen wrote:
> Our recent analysis has shown that some OpenID providers return
> HTTP-based OpenID identities, even when the login is initiated via
> HTTPS. This introduces an element of risk to OpenID authentication
> and also forces the use of looser firewall rules. For the security of
> the service, we have decided to discontinue OpenID support. Local
> username/password authentication is still supported.
I don't think Fedora's OpenID login has this flaw. Would it be possible
to allow OpenID login for white-listed providers which are known to be
well-behaved?
--
Matthew Miller
<mattdm@fedoraproject.org>
Fedora Project Leader
_______________________________________________
trans mailing list -- trans@lists.fedoraproject.org
To unsubscribe send an email to trans-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/trans@lists.fedoraproject.org/message/GXUVRIOYY4FYCDPSAXRFZWFZTGEUMQRL/
No comments:
Post a Comment