[OpenID] Trust + Security @ OpenID
Peter Williams
pwilliams at rapattoni.com
Thu Jul 19 18:07:52 UTC 2007
Can the cert of the SSL endpoint also attest to it being a XRI proxy,
too? case the https UCIs have xri form? (has to be an EE cert-level
assertion, for use also in self-signed SSL cert. Cannot be invoking
special CA certs that "centralizes" control over Ops and their
participating in OpenID's "https name resolution").
This would all avoid having to use a centralized XRI proxy, in the xri
variant of UCIs. The OP can be its own xri resolver (via the https-based
trusted URL name resolution process). If the OP wants to delegate to a
centralized TTP proxy for XRI names, so be it.
Nice thing here is that OP Consumers have to maintain their own SSL cert
lists - its not something one delegates to the browser's binding to SSL,
and that trust store. Its the OP Consumer sites trust store and cert
chain processing logic, managed however one wishes one policy on using
white/black/revoked/suspended/cross-certified/cc-suspended/cc-revoked
certs and cert-chain handling.
I like the http TLS upgrade feature. I hate it typically, but in
promoting http to https for USE IN TRUSTED NAME RESOLUTION, its fine ;
if not "cute".
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Dmitry Shechtman
Sent: Thursday, July 19, 2007 10:52 AM
To: jpanzer at acm.org
Cc: general at openid.net; security at openid.net
Subject: Re: [OpenID] Trust + Security @ OpenID
Thank you for your comments, John.
> In particular, if you see a 302 redirect on step (2) to an https://
URL,
> ignore it (susceptible to man-in-the-middle attack).
So should we distrust identifiers that redirect via plain HTTP?
> And the above applies both to an OpenID URL itself and any URLs that
> resource delegates to via <link>.
I don't see why delegates should get any special treatment. In fact, it
looks like the security add-on should be completely delegation-blind.
Regards,
Dmitry
=damnian
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list