[OpenID] 2-Headed OpenID Auth for Increased Security?
Ben Laurie
benl at google.com
Mon Dec 1 13:13:28 UTC 2008
On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
> Time to take the extension power of XRDS, and apply xmldsig "detached
> signature(s)"
Signing XRD is pretty much what we're proposing for the next generation...
>
>
> This would be using similar mechanism as used in Authenticode, where
> designers applied 3rd-party countersigning and 4th-party timestamping to
> solve validity problems - at internet scale. Different parties (OP,
> discovery agents, validation) can then cooperate, in the inherently
> suspicious world of open systems.
>
> The Shib/Apache-xmltooling toolset has all the mechanisms required to make
> power-use of the flexibility of the xmldsig standard (as do many other
> tools). Being very, very flexible in its references, it's easy to screw up
> application of xmldsig, producing unwanted sideeffects tho.
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Eric Norman
> Sent: Sunday, November 30, 2008 9:50 AM
> To: OpenID List
> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>
>
> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>
> > I like the idea.... but the XRDS would have to mandatorily not be
> > hosted by either OP (which right now is commonly done), since that OP
> > would still ultimately have total assertion power by temporarily
> > manipulating the XRDS file to point to two OP endpoints that were both
> > controlled by the evil party.
>
> Be careful. "Hosted by" does not necessarily imply "content
> controlled by".
>
> Eric Norman
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081201/dd0c688a/attachment-0002.htm>
More information about the general
mailing list