This is more of a reminder to myself - you can enable SSL on WordPress, but it's essentially an undocumented feature. This afternoon all I could find was a forum posting on enabling SSL.
There doesn't seem to be genuine documentation on it in the Codex, at least, not documentation that pops out when you do a search.
It's no surprise that someone managed to reset Sarah Palin's password on a freebie e-mail account. She's a public figure and the answers to her so-called "security questions" are on the public record. It's one thing to do personal and political e-mail on a Yahoo account but it's DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.
Large scale vendors like Yahoo and Google can't help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones.
These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.
There are four patterns: local, direct, indirect, and off-line.
In honor of the electoral season, I'm sharing an old photograph. The occasion was a visit by Senator John McCain (R-AZ) to Secure Computing in June, 1999. We discussed possible revisions to cryptographic export controls, and he posed for photos, holding a copy of Internet Cryptography, which was 'recently published' back then.
I don't want to turn this into a political blog - this posting simply reports on the visit.
I received an e-mail from a mutual friend named Jim Burrows who was decrying the state of information security, blaming it on the lack of good models for solving modern security problems. I have to agree, and I admit I don't have a glib answer.
A few weeks back, Gunnar Peterson posted some comments relevant to this discussion of modern security policy, but I haven't managed to frame response to that one, either.
At least, I can agree that traditional models are broken. I believe there are some fundamentals that remain constant, but the high level attempt to build firewalled enclaves is clearly obsolete (except for a very few special situations).
Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?
Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.
You are welcome to use your OpenID credentials to register with Cryptosmith and/or to post comments.
When you register for the site with OpenID, the Cryptosmith site will automatically try to collect your name and e-mail address from the OpenID provider. This information will be copied into your profile. At present all profiles are private except to the site administration.