OpenID homesite authorization spoofed
James A. Donald
jamesd at echeque.com
Tue Oct 24 01:45:08 UTC 2006
Eddy Nigg (StartCom Ltd.) wrote:
> The way OpenID works currently, it is possible to
> spoof it, even if secured by SSL and DNSSEC. Therefore
> there is something else missing as well
In principle, it should be possible to secure identity
with a single public key operation per login. SSL
involves lots of public key operations, and DNSSEC a few
more.
Those arguing against SSL would have a point if they
argued cost to benefit, rather than arguing we don't
need security. If we don't need security, we don't need
OpenID.
If SSL and DNSSEC does not do it, there should be some
way of doing it, and at substantially lower cost.
More information about the general
mailing list