[OpenID] OpenId Association Timeout Recommendations

Hans Granqvist hgranqvist at verisign.com
Wed Feb 7 19:08:57 UTC 2007

Aswath Rao wrote:
> I would like to know whether your point regarding the vulnerability of 
> Direct verification still holds if we use Cardspace as it was announced 
> earlier in the day. This is relevant for the application where we use 
> OpenID as the identifier for SIP sessions.

It's unclear to me how or on what level Cardspace will integrate
with OpenID, so I cannot respond just yet, sorry!

I know being a MITM is not necessarily as easy in practice as
in theory, but the direct verification step of OpenID is
too fragile regardless of identity mechanism.


More information about the general mailing list