Re: [ANN] Please use Gerrit from now on for Patch Review

On Thu, Jun 21, 2012 at 10:13:38AM +0100, Michael Meeks wrote:
> On Wed, 2012-06-20 at 22:46 +0200, Bjoern Michaelsen wrote:

> > we vaguely considered running a TDF OpenID provider in the distant future,
> > but so shied away from that for the nontrivial cost (security is hard to
> > get right)

>       I imagine if Lionel wanted to re-open that decision, and has
> done the work anyway to get an openID server setup,

In short: I've done the work for a small-scale OpenID server (from one
user to a few users, each user being configured manually in a text
file). The implementations I've looked at would most probably not be
adequate for a bigger setup like TDF. Security being one of my core
interests, if there would be interest in a TDF OpenID provider, I
could be interested in participating in its setup, but we'd probably
select a more "large scale" implementation that the ones I now have
experience with.

In particular, local-openid is intrinsically single-user; but one can
run multiple copies of it :) (that is partially a joke; running it on
a machine that anybody else than you has a shell account on has
security implications I'd need to think about how to resolve). Part of
its appeal is that it is not run "system-wide", but that the user that
wants to authenticate runs it hirself from a shell account.

The other implementation I've setup is SimpleID; that's the one where
each user is configured manually in a text file, but we can delegate
that to the user hirself through symlinks. Security-wise, the password
is stored as an *unsalted* hash, but that would be easy enough to
change should we want to.

-- 
Lionel