OpenID homesite authorization spoofed
James A. Donald
jamesd at echeque.com
Mon Oct 23 12:03:44 UTC 2006
Alaric Dailey wrote:
> If the vouching party can't be validated then any
> assertions they make are worthless. Just exactly like
> PGP, if you aren't doing the validation, then they key
> can't TRULY be trusted, and most people have NO IDEA
> how to validate a PGP key correctly.
>
> In the real world, the DMV tries to show that they are
> ones who issued a drivers license by "signing" it with
> embedded logos, holograms etc. In the digital world
> the only good analogy is a digital signature,
To work, OpenID has to be rooted in digital signatures
that the site has chosen to trust. The easiest way is
of course to trust any of the millions of certificates
signed by any of the hundred or so certificate
authorities blessed by the major browsers, and for most
purposes this will be good enough, but I suspect that
for some applications, this may be excessively liberal,
and the site operator should be able to construct his
own list of acceptable certificates.
More information about the general
mailing list