[OpenID] Selectively Redirecting OpenID Traffic To HTTPS

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Jan 16 06:41:40 UTC 2008


Hans Granqvist wrote:
>> If you are concerned about the latter attack, then you can either enter
>> https:// explicitly or wait until you get to your IdP and verify its SSL
>> cert to make sure you haven't been tricked.
>>     
>
> Of course, a pretty simple attack is RP getting a domain, 
Don't you refer here to the ID provider instead the relying party (RP)?
>
> OpenID aware browsers or add-ons could help. OPs that use
> OTPs, challenge response, biometrics, etc. could also help. But
> is it even feasible to force their use?
According to the specs an RP can request minimum requirements such as 
the ones mentioned above, however if there is a rough ID provider 
somewhere, he can reply with the matching response anyway. So there 
isn't much use for it except in case the RP limits the ID providers he 
wants to work with and knows about their "trustworthiness", I 
think....The question is really who needs to be protected by whom?!

-- 
Regards 
 
Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080116/9ac83107/attachment-0002.htm>


More information about the general mailing list