OpenID Security
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Feb 9 18:21:28 UTC 2009
>Likewise, the protocol can be defined as weak where someone may
>apply additive security on top of it. Kinda like doing SMTP over TLS
>and/or S/MIME.
Is that what Ben Laurie meant in the footnote?
http://openid.net/pipermail/security/2008-August/000404.html
A given implementation of OpenID *might* contain DNS-level security,
MultiAuth, good CRL's, etcetera; but because the spec doesn't
*demand* it, obviously it's the *OpenID* protocol that is weak.
Obviously. It's noone's fault that *DNS* isn't secure; it's only the
fault of anyone that tries to *use* DNS for any secure purposes.
</sarcasm>
-Shade
More information about the specs
mailing list