[Openid-specs-ab] The competition

n-sakimura n-sakimura at nri.co.jp
Fri Aug 30 09:31:08 UTC 2013


Have they updated the BrowserID spec?
I and several other people have been pointing out security holes.
Main one that interests me is how the user is identified.
If I remember correctly, the user keypair gets regenerated from time to 
time so the public key cannot be relied on as the user identifier. In 
the old days, they were using email address as the identifier, which is 
very bad as the identifier can be recycled (e.g., Yahoo!). I asked them 
to introduce the never re-assigned subject identifier, but I do not know 
if they have adopted it.


(2013/08/30 15:03), Tim Bray wrote:
> One of the more visible competitors for OIDC is Persona, from Mozilla; 
> I integrated it with my testbed and wrote up the experience: 
> https://www.tbray.org/ongoing/When/201x/2013/08/28/FC4-Persona
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547

The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130830/64773659/attachment-0001.html>

More information about the Openid-specs-ab mailing list