[OpenID] Fwd: OpenID Spoofing

Dmitry Shechtman damnian at gmail.com
Sun Jan 21 18:23:43 UTC 2007


Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
same bad
cert as last time :) 

 

 

Here's a crazy idea: what if the OP used such a "bad cert"?

 

E.g. MyOpenID.com could use JanRain's cert. This way all users would get a
chance to inspect the cert (and also get to know the company behind the OP
by the way).

 

 

Regards,

Dmitry

=damnian 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070121/a7f01146/attachment-0001.htm>


More information about the general mailing list