[dix] Re: Gathering requirements for in-browser OpenID support
Barry Ferg
barry at sxip.com
Thu Oct 19 16:44:18 UTC 2006
===================================================================
--- openid-authentication.xml (revision 68)
+++ openid-authentication.xml (working copy)
@@ -2218,6 +2218,15 @@
all parts of the interaction, including interaction with
the End User through the User Agent.
</t>
+
+ <t>
+ Another man in the middle attack exists in that a
+ malicious RP may take the identifier and redirect the user
+ agent to a host that proxies the user's IdP. The user's
+ authentication credentials may then be compromised. SSL
+ connections between the user agent and the IdP eliminate
+ this attack technique.
+ </t>
</section>
</section>
On 18-Oct-06, at 11:10 PM, Josh Hoyt wrote:
> On 10/18/06, Dick Hardt <dick at sxip.com> wrote:
>> btw: this MITM attach MUST be clearly described in the security
>> considerations of the spec ...
>
> feel free to submit a patch or at least some wording.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list