[OpenID] OpenId Association Timeout Recommendations

Recordon, David drecordon at verisign.com
Fri Feb 9 07:38:50 UTC 2007

I don't think it is a reasonable assumption to make that people are
going to be running SSL with a NULL cipher suite in these situations.  I
think the spec is quite clear in the fact that you need to do TLS/SSL
right in order for it to matter.

So yes, there are MITM attacks if you're on an untrusted network and not
correctly using TLS/SSL.


-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Granqvist, Hans
Sent: Thursday, February 08, 2007 10:29 AM
To: David Fuelling
Cc: security at openid.net; general at openid.net
Subject: Re: [OpenID] OpenId Association Timeout Recommendations

> However, the spec seems to indicate that if SSL/TLS is used, then 
> Direct Verification is ok (Section 15.1.2, first line of 2nd 
> paragraph).  Do you agree?

In principle, yes, I do.  But SSL is such an ephemeral notion.
For instance, you can run SSL with NULL cipher suites so that traffic
goes in the clear.

To me, it seems that a RP that knows how to properly set up and use SSL
to verify the OP (with PKI trust processing) would probably want to
equally properly OpenID-associate.

The original intent of DV was for usage scenarios ("ajax") where proper
SSL is not normally nor easily available nor implementable. 


general mailing list
general at openid.net

More information about the general mailing list