security (was Re: [dix] Re: Gathering requirements for in-browser OpenID support)

Alaric Dailey alaricd at pengdows.com
Fri Oct 20 20:57:34 UTC 2006 

Ryan Barrett wrote:
> On Fri, 20 Oct 2006, Eddy Nigg (StartCom Ltd.) wrote:
>
>   
>> If the "requirements" of SSL (and DNSSEC) are up to the IdP to implement
>> OpenID securely, how can this network be ever extended beyond forum and blog
>> logins? Also here I'm a little bit clueless. The specs speaks about signing
>> of the authentication messages, but there seems to be no securing (explicit)
>> of the data in any other way?
>>     
>
> "up to the IdP" does not mean "won't be used." IdPs that use OpenID in
> meaningful transactions - say, PayPal, or the DMV - will almost certainly use
> SSL to protect sensitive data like passwords on the wire. all they're saying
> is that OpenID doesn't *mandate* it.
>
> as for DNSSEC, i think josh is right. it's a red herring. sure, DNS is
> technically insecure, 
Therefore its not a red-herring.  That is like saying just because its 
hard to brute -force a password, or make an MD5 (or SHA-1) collision 
happen,  or pull-off MITM attack that they are red-herrings. Just 
because its hard, it doesn't mean it isn't a real threat.
> which is a huge temptation for technical people like us
> to blow out of proportion. in practice, though, the holes in DNS so awkward,
> and require so many resources, that they're almost never exploited in the
> wild. it's just not on the script kiddies' radar, much less real criminals'.
>
> big organizations like banks and brokerage firms are ok with conducting
> sensitive transactions over plain vanilla DNS. given that precedent, i doubt
> we'd want to burn many cycles on DNSSEC.
>   

They aren't dealing with offloading user-verification to some other 
system,  AND they use SSL, users data never leaves their site, there 
fore the problem doesn't effect them. Furthermore banks, especially US 
banks, are perfectly happy with Snake-Oil rather than security.


Maybe I am talking to the wrong group of people, but I would have 
assumed these issues would already have been resolved and now would have 
easy answers.

<http://cert.startcom.org/?app=109>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/a92e4590/attachment-0002.htm>

More information about the general mailing list