security
Dan Lyke
danlyke at flutterby.com
Tue Oct 24 21:35:26 UTC 2006
On Tue, 24 Oct 2006 11:43:11 -0700, Pete Rowley wrote:
> However, an RP will be expecting an unknown number of IdP's, what
> does key caching do for them? What action would they take when
> the keys don't match?
For DNS poisoning attacks, I'd expect that the attack would be against
a specific provider. For the applications I'm implementing OpenID for
(which, admittedly, tends to be fairly small and niche, my various
weblogs (a couple of hundred participants a week) and some mailing
list and calendar management for various groups I'm involved in), I
expect that LiveJournal will provide at least a quarter of the
identities, followed by VeriSign PIP, trailing off into the occasional
weirdo running their own identity provider (ie: me).
So I see two protections:
1. When the LJ sign-ins start complaining about an identity change, I
know that I as a relying party I can't trust my upstream DNS.
2. When the lone wacko signs in and their server's identity has
changed, I can warn them that either I can't trust my upstream DNS, or
their server has been compromised.
More information about the general
mailing list