security

[Alaric Dailey]

DNS poisoning generally happens against a specific domain, to downstream
routers, especially windows DNS server, by poisoning the cache (much easier
to do, not to mention harder to detect) rather than modifying the root DNS.




-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Dan Lyke
Sent: Tuesday, October 24, 2006 4:35 PM
To: general at openid.net
Subject: Re: security

On Tue, 24 Oct 2006 11:43:11 -0700, Pete Rowley wrote:
> However, an RP will be expecting an unknown number of IdP's, what does 
> key caching do for them? What action would they take when the keys 
> don't match?

For DNS poisoning attacks, I'd expect that the attack would be against a
specific provider. For the applications I'm implementing OpenID for (which,
admittedly, tends to be fairly small and niche, my various weblogs (a couple
of hundred participants a week) and some mailing list and calendar
management for various groups I'm involved in), I expect that LiveJournal
will provide at least a quarter of the identities, followed by VeriSign PIP,
trailing off into the occasional weirdo running their own identity provider
(ie: me).

So I see two protections:

1. When the LJ sign-ins start complaining about an identity change, I know
that I as a relying party I can't trust my upstream DNS.

2. When the lone wacko signs in and their server's identity has changed, I
can warn them that either I can't trust my upstream DNS, or their server has
been compromised.

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general