OpenID homesite authorization spoofed

[Eddy Nigg (StartCom Ltd.)]

James A. Donald wrote:
> To work, OpenID has to be rooted in digital signatures
> that the site has chosen to trust.  The easiest way is
> of course to trust any of the millions of certificates
> signed by any of the hundred or so certificate
> authorities blessed by the major browsers, 
Yes, absolutely! Sniffing of user/password pairs will not be possible
anymore (and therefore access to thousands of openid enabled sites
better secured), but also the IDP's and relaying RP's have to make some
basic checks on that....
> and for most
> purposes this will be good enough, but I suspect that
> for some applications, this may be excessively liberal,
> and the site operator should be able to construct his
> own list of acceptable certificates.
>   
This is more problematic, because in such a case, I can go back spoofing
other sites with my own site again....More than that, it's not enough,
that your site trusts it, but all other relying sites have to trust it
as well...This is not an exclusive decision which only affects your
site, but all the sites relying on it...

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/0f6aa33f/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/0f6aa33f/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/0f6aa33f/attachment-0002.bin>