OpenID security questions
Granqvist, Hans
hgranqvist at verisign.com
Tue Sep 12 16:08:00 UTC 2006
Burt,
I just posted a proposal to specs at openid.net
Thanks,
Hans
________________________________
From: general-bounces at openid.net
[mailto:general-bounces at openid.net] On Behalf Of Burt Harris
Sent: Monday, September 11, 2006 4:05 PM
To: general at openid.net
Subject: OpenID security questions
I've spent the weekend reading up on OpenID. Very cool, I'm
interetested. I've got a couple of questions regarding security of the
approach:
Has a systematic analysis of threats to OpenID been made and
published?
Does OpenID require that SSL be used by the consumer site when
fetching the identifier URL? If not, wouldn't that leave the entire
sequence of operations vulnerable to DNS spoofing, etc?
Burt Harris
Microsoft Live Meeting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20060912/1d75e01f/attachment-0002.htm>
More information about the general
mailing list