Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OWASP Day NZ talk report
7 views
Skip to first unread message
Francois Marier
Sep 16, 2013, 7:06:06 AM9/16/13
to
On Thursday, I talked [1] about Persona at the New Zealand OWASP Day [2]
in Auckland. There were about 200 people in the audience (web developers
and security people).
The funny thing is that one of the talks after me also had Persona in
one of the demos and then two other people mentioned it in their talks.
Also, a few people told me it was the second time they saw my talk (the
first time was at WDCNZ [3]) but still liked it :)
# Audience questions
- What happens if you lose faith in your email provider? Is your ID
tied to your email address?
- How does the browser generate the certificates and store them?
- If you're using a shared computer, is there a "do not remember me"
checkbox to click?
- What would happen if login.persona.org got compromised? What would an
attacker get if they compromised our servers?
- Can you restrict which identity providers are allowed on your site?
- If someone steals your email account, you're screwed. Is there
anything you can do to mitigate this? Is there a way to combine email
authentication and a second factor?
- Has there been any interest from other companies like Google?
- Is there a PRISM feed going from Persona to the NSA?
- Is there any way of using Persona without JavaScript?
- Is there a way to force a logout if you know you've been compromised?
- Would it be suitable for a site that caters to truck drivers?
Francois
[1] Slides and audio here:
http://www.slideshare.net/fmarier/persona-owaspdaynz
[2] https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013
[3]
https://groups.google.com/d/topic/mozilla.dev.identity/V7dFG0kkzR4/discussion
in Auckland. There were about 200 people in the audience (web developers
and security people).
The funny thing is that one of the talks after me also had Persona in
one of the demos and then two other people mentioned it in their talks.
Also, a few people told me it was the second time they saw my talk (the
first time was at WDCNZ [3]) but still liked it :)
# Audience questions
- What happens if you lose faith in your email provider? Is your ID
tied to your email address?
- How does the browser generate the certificates and store them?
- If you're using a shared computer, is there a "do not remember me"
checkbox to click?
- What would happen if login.persona.org got compromised? What would an
attacker get if they compromised our servers?
- Can you restrict which identity providers are allowed on your site?
- If someone steals your email account, you're screwed. Is there
anything you can do to mitigate this? Is there a way to combine email
authentication and a second factor?
- Has there been any interest from other companies like Google?
- Is there a PRISM feed going from Persona to the NSA?
- Is there any way of using Persona without JavaScript?
- Is there a way to force a logout if you know you've been compromised?
- Would it be suitable for a site that caters to truck drivers?
Francois
[1] Slides and audio here:
http://www.slideshare.net/fmarier/persona-owaspdaynz
[2] https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2013
[3]
https://groups.google.com/d/topic/mozilla.dev.identity/V7dFG0kkzR4/discussion
0 new messages