While upgrading my WordPress installation, I decided that the permalink structure’s inclusion of the “/archives” string was superfluous. http://www.laurenwood.org/anyway/2007/10/04/sample-post/
contains as much relevant information as http://www.laurenwood.org/anyway/archives/2007/10/04/sample-post/
. So I changed the permalink structure, and also installed Dean’s Permalinks Migration to take care of the 301 redirection of links to the old URLs. So far it seems to work fine; if you don’t like your permalink structure any more but don’t want to risk people getting 404s, try it out.
I’ve worked at companies that did Myers-Briggs/Keirsey temperament testing on people, and just for fun decided to try out another couple of tests over the last couple of months, most recently at mypersonality.info. It seems my personality type wanders, from INTJ to INTP and over to ISTJ. Either that, or I look at myself differently on different days, or respond unexpectedly to nuances in questions. At least two of the four axes are reasonably stable, even if the other two aren’t. Fortunately nobody I know takes this stuff too seriously; as the sites say, these are all tendencies rather than absolutes.
Another interesting point: all three of those personality types are said to be more prevalent in males than females. And probably more prevalent in the career path I’ve chosen as well.
I’ve now finished my current batch of postings about Sun’s OpenID IdP. Here’s a listing of the relevant postings that the team has made. I’ll add new postings to this list as they’re published, or as I find them.
- Purpose and Policies
- Architecture
-
- Hubert Le Van Gong’s OpenID @ Work — Architecture
- Hubert Le Van Gong’s OpenID @ Work — Infrastructure Description
- Deployment
-
- Yvonne Wilson’s User-centricity, Trust: Technology or Practice?
- Eve Maler’s Sun OpenID IdP: protocol and implementation review
I upgraded to WordPress 2.3 at the weekend. Everything seemed to upgrade properly with no database errors, but I was getting a 500 Internal Server Error when I tried to look at the site pages. The error logs contained the answer – error: file is writable by others
with a pointer to the main index.php file. This seemed a little odd to me, but I looked at the mask and sure enough, the index.php file (and a whole lot of others) was group-writable. I changed the mask on the directories to 755 from 775, and the files from 664 to 644, and then everything worked just fine.
I also changed the stylesheet; still tweaking but it’s mostly done. Comments welcome!
Part of a series on Sun’s OpenID@Work initiative; see the introduction for more context.
Trust is always an issue on the web. People don’t usually even think about it, but they trust the DNS server to point their browser at the right web site when they click on a link, they trust the web server to serve up the right page, they trust their online bank to not broadcast their credit card numbers to the world, etc. etc. We as end-users can’t do anything about most of those, but there are some things that we can do, such as not giving banking details to sites that don’t look like our bank’s, or only giving out our social insurance numbers when we really have to. Knowing some of the issues and potential problems is important — you want to verify as much as possible whether your trust in the site is justified. So you don’t click on links in emails that don’t quite look right, and you check whether the little “locked” sign is present (assuming your browser hasn’t been hacked). Lots of people don’t trust internet systems with their personal data at all, deciding that the advantages of online interactions are outweighed by the potential damage if something goes wrong (there’s that risk assessment again that I talked about in the Business Purpose posting of this series).
So what’s this got to do with OpenID? Quite a lot, actually.
OpenID is an untrusted protocol, at least for version 1.1, which is the one we deployed on the OpenID IdP, and it’s likely to be true for version 2.0 as well, although that isn’t finished yet. As the OpenID web site says: This is not a trust system.
. Among other things, you don’t know anything about the site you’re logging into, it might be genuine, it might be a phishing site, it might be some other rogue site. And there’s no way currently for the Identity Provider to know. In other words, just because you can log into it with your openid identifier, doesn’t mean anything about what that site might do with any data or information you might give it. Which is one good reason why Sun’s OpenID IdP does not hand over information from the user’s account to the consuming site (relying party) unless the user agrees to it. You’re the person logging in, you can decide whether to trust that site with any information, whether that’s your openid identifier, or your name (possibly fake) or email address. And Sun’s system doesn’t ask for or store your date of birth, so if some site wants it (why would always be the right question to ask), feel free to answer correctly or with some completely random date (in fact, many privacy advocates say you should never tell any web site your real date of birth if there’s any way of legally avoiding it). Even handing over your openid identifier to some site can cause problems, if they then use it for purposes you didn’t expect and don’t agree to. Since this is an opt-in system for personal use, Sun wouldn’t bear any liability if you did fall prey to a phisher or other rogue while using your Sun openid identifier.
The upshot of this is that OpenID shouldn’t be used for what are called high-value transactions, at least in its current incarnation. High-value transactions are things such as logging in to your banking system, or releasing sensitive personal information such as your medical history. Typing “openid phishing” or “openid attacks” into your favourite search engine will give you some idea of the sorts of attacks that are currently possible. Some of these will be relatively easy to mitigate, and some aren’t really worth mitigating for the sorts of use cases that OpenID was designed for, as they would make the resulting protocol much harder to implement and deploy. And let’s face it, the idea behind OpenID was to have something easy and lightweight to deploy that meets some, but not all, authentication use cases.
Related articles include Steven Nelson’s So you wannabe an OpenID provider?, Eve Maler’s A Tincture of Trust, and Yvonne Wilson’s Trusted Sources of Information. Simon Willison has a slightly different take in Designing for a security breach. And if you want a more formal definition of trust and some of the issues around it, try Trust Modeling for Security Architecture Development.