OpenID security questions
Granqvist, Hans
hgranqvist at verisign.com
Mon Sep 11 23:14:17 UTC 2006
Burt,
We made such an analysis here at VeriSign and I posted a few emails
related to security concerns + proposed profiles to the old yadis list.
I will later today or tomorrow follow up to the specs at openid.net and
ping this general at openid.net list when that's been done.
Thanks,
Hans
________________________________
From: general-bounces at openid.net on behalf of Burt Harris
Sent: Mon 9/11/2006 4:04 PM
To: general at openid.net
Subject: OpenID security questions
I've spent the weekend reading up on OpenID. Very cool, I'm interetested. I've got a couple of questions regarding security of the approach:
Has a systematic analysis of threats to OpenID been made and published?
Does OpenID require that SSL be used by the consumer site when fetching the identifier URL? If not, wouldn't that leave the entire sequence of operations vulnerable to DNS spoofing, etc?
Burt Harris
Microsoft Live Meeting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20060911/fe6369ba/attachment-0002.htm>
More information about the general
mailing list