Comments on: OpenID for all Estonians

By: Privacy and Identity Theft » Blog Archive » Estonia issuing Smart-cards for OpenID logins?

Sat, 26 May 2007 20:08:09 +0000

[...] is some hyperbole about this Estonian OpenID rollout. Some claim that smartcards prevent phishing, and that is not completely accurate. There’s [...]

By: OLDaily[ä¸æ–‡ç‰ˆ] » Blog Archive » 2007å¹´5æœˆ24æ—¥

OLDaily[ä¸æ–‡ç‰ˆ] » Blog Archive » 2007å¹´5æœˆ24æ—¥ — Fri, 25 May 2007 17:53:57 +0000

[...] è¿™é‡Œæœ‰æ›´å¤šå†…å®¹ä»‹ï¼ŒåŒ…æ‹¬å¯¹é—®é¢˜çš„è¯„è¿°ã€‚Simon Willison, Weblog May 24, 2007 [...]

By: Tara (PassPack)

Tara (PassPack) — Fri, 25 May 2007 15:39:24 +0000

> “While the eID seems to be a very comfortable authentication tool privacy issues occur, of course.”

This is what I’m most concerned about. I posted about it here:
http://passpack.wordpress.com/2007/05/25/openid-a-great-thing-going-amok/

Cheers,
Tara

By: OpenID: A great thing... going amok? « PassPack - The Blog

OpenID: A great thing... going amok? « PassPack - The Blog — Fri, 25 May 2007 15:33:35 +0000

[...] 25th, 2007 I recently came across Carsten PÃ¶tter’s post OpenID for all Estonians wherein he writes about a nationwide implementation of OpenID in Estonia. Citizens and foreign [...]

By: Martin Paljak

Martin Paljak — Thu, 24 May 2007 23:40:27 +0000

I finally found some time and willingness to write a blog post in English. It covers the same subject and might be of interest. http://martin.paljak.pri.ee/2007/05/25/openid-smart-cards-and-security-risks/

By: pauldwaite

pauldwaite — Thu, 24 May 2007 22:09:52 +0000

> I guess I have to erase the word â€œimpossibleâ€? from my vocabulary now.

When describing how easy it is to break into any computer system, then yeah, I think so

By: Carsten PÃ¶tter

Carsten PÃ¶tter — Thu, 24 May 2007 21:35:38 +0000

I guess I have to erase the word impossible from my vocabulary now.

By: Mark Wilcox

Mark Wilcox — Thu, 24 May 2007 21:03:11 +0000

I’ve written my own response here with examples of how this system could break at
http://blogs.oracle.com/mwilcox/2007/05/24#a149

By: Anon

Anon — Thu, 24 May 2007 21:02:50 +0000

I think that the smart cards are a form of 2FA. So only 1 part of the 2 factors is ever exposed. Even if a MITM was to intercept a request the value is only valid for that point in time so useless when trying to replay a request or use it another time. That’s probably a simplification of how it works…

By: Carsten PÃ¶tter

Carsten PÃ¶tter — Thu, 24 May 2007 16:45:50 +0000

Well, Simon Willison is asking a similar question. So am I really completely wrong? As far as I know scammers need a smart card as well to log in even if they know my password.

Anyone more knowledegable about smart cards than me?

Comments on: OpenID for all Estonians

By: Privacy and Identity Theft » Blog Archive » Estonia issuing Smart-cards for OpenID logins?

By: OLDaily[ä¸­æ–‡ç‰ˆ] » Blog Archive » 2007å¹´5æœˆ24æ—¥

By: Tara (PassPack)

By: OpenID: A great thing... going amok? « PassPack - The Blog

By: Martin Paljak

By: pauldwaite

By: Carsten PÃ¶tter

By: Mark Wilcox

By: Anon

By: Carsten PÃ¶tter

By: OLDaily[ä¸æ–‡ç‰ˆ] » Blog Archive » 2007å¹´5æœˆ24æ—¥