[dix] Re: Gathering requirements for in-browser OpenID support
Dan Lyke
danlyke at flutterby.com
Thu Oct 19 18:58:48 UTC 2006
On Thu, 19 Oct 2006 09:44:18 -0700, Barry Ferg wrote:
> + agent to a host that proxies the user's IdP. The user's
> + authentication credentials may then be compromised. SSL
The connection could also just be sniffed. The risks of passing
reusable credentials over an insecure link aren't new, and we knew
this about telnet connections back in the early '90s.
Making specific mention of this in the spec may be okay, but unless
there's something specific to the protocol (ie: if a malicious site
could compromise future logins by spoofing to both the user and to the
relying party), I think the obvious things can be reduced to "traffic
over the net may be watched by hostile parties".
More information about the general
mailing list