security

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Wed Oct 25 02:52:54 UTC 2006 

Dan Lyke wrote:
> I've already laid out my reasons why I believe that authentication of  
> the user to the Identity Provider is between the user and the Identity  
> Provider.....that's my own business.
>   
No it's absolutely not! Because any RP is going to rely on that login
facility!
>
> No, it's not. In fact the user URI is published widely and isn't a  
> secret at all. I use http://danlyke.livejournal.com/ and  
> http://danlyke.pip.verisignlabs.com/ 
Too bad, now anybody can point an http sniffer to your IDP server and
wait patiently for the user/pass pair...However I suspect, that you mix
up the IDP and RP here....The above looks more like an IDP ;-)
> So to be *very* specific:
>   
The fears are the same fears that any bank, credit card company, online
shop or about anybody else running secured servers, has...
> #1 means that all communication between the Relying Party and the IdP  
> Endpoint URL and the Claimed Identifier would need to be HTTPS.
>   
Yes!
> My guess is somewhere between "snowball's chance in hell" and "zero",  
> because that would mean allocating a separate IP address to all  
> LiveJournal users (http://username.livejournal.com/) or PIP users  
> (http://username.pip.verisignlabs.com/), 
>   
Wrong...An IDP will install a wild card certificate for the user area,
i.e. CN=*.pip.verisignlabs.com

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/3d125916/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/3d125916/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061025/3d125916/attachment-0002.bin>

More information about the general mailing list