« May 23, 2007 | Main | May 31, 2007 »

May 24, 2007 Archives

May 24, 2007

OVD 10.1.4.2 Docs (including EUS configuration) Now Live on OTN

By mark.wilcox on May 24, 2007 7:21 AM

It turns out there was some delay in getting the OVD 10.1.4.2 docs posted on OTN. They were included as part of the install but now you can read them before installing OVD 10.1.4.2.

10.1.4.2 Product Manual
10.1.4.2 Release Notes
OVD-EUS Data Sheet
OVD Homepage on OTN

| Comments (2) AddThis Social Bookmark Button

Oracle Internet Directory Tuning Guide

By mark.wilcox on May 24, 2007 7:54 AM

I was reminded that we have a tuning guide to the Oracle Internet Directory (OID). OID is Oracle's storage-based directory server that leverages the Oracle database to provide scalabilty, reliability and security. It is one of the components (along with OVD and Directory Integration Platform - which is our directory synchronization product) of the Oracle Directory Services package.


| Comments (0) AddThis Social Bookmark Button

Be Careful to Remember the Boundaries in Security

By mark.wilcox on May 24, 2007 4:00 PM

On this post the blogger (Carsten Pötter) mentions that Estonia is going to issue an OpenID for all its citizens as part of a national electronic identity project they already have implemented.

The blogger makes a rather bold claim:
"Those OpenID�s are very secure because smart cards are required which make phishing and identity theft impossible."

But as Simon Willson asks - how?

This is a classic case of being more positive than realities because when it comes to security - nothing is ever truly impossible. It can be harder - but hardly impossible. History is littered with examples where the "impossible" happened -

The Great Wall of China. Maginot Line. Titanic. 9/11. 
 
And Pötter asks a naive, but good question:
So am I really completely wrong? As far as I know scammers need a smart card as well to log in even if they know my password.

Here are some ways I could see how this system could fail:

  • A person could be threatened or bribed into activating their smart-card for someone else to use
  • The openid service itself could be hacked and thus faked
  • The smart cards could be forged
  • Valid smart cards could be given to false identities either through forged documents or dishonest government employees
  • Someone could figure out how to simulate a valid smart-card authentication
  • The openid server could have a bug that allowed for cross-site scripting attacks
  • A phishing site might discover a way to capture a valid authentication and replay it later
Overall - I think this OpenID project is an interesting and necessary experiment (how else will ever learn whether OpenID is valuable or not?).
And smart-card authentication is generally more secure than simple username & password.
But we should be keeping in mind how these things can fail and adjust our trust levels as necessary.





| Comments (1) AddThis Social Bookmark Button

Search All Blogs

Google Search


Only search this blog

About May 2007

This page contains all entries posted to Virtual Identity Dialogue in May 2007. They are listed from oldest to newest.

May 23, 2007 is the previous archive.

May 31, 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle