OpenID security questions
Alaric Dailey
alaricd at pengdows.com
Tue Sep 12 16:23:10 UTC 2006
SSL doesn't protect against DNS Poisoning/spoofing/pharming or whatever you
want to call it. SSL protects against spoofing only if people turn on
revokation checking AND no-one uses self-signed certs(self-signed certs are
counterproductive when trying to create trust), otherwise it would only
protect against data being eavesdropped on. DNSSEC is the way to protect
against DNS spoofing.
_____
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Granqvist, Hans
Sent: Tuesday, September 12, 2006 11:08 AM
To: Burt Harris
Cc: general at openid.net
Subject: RE: OpenID security questions
Burt,
I just posted a proposal to specs at openid.net
Thanks,
Hans
_____
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Burt Harris
Sent: Monday, September 11, 2006 4:05 PM
To: general at openid.net
Subject: OpenID security questions
I've spent the weekend reading up on OpenID. Very cool, I'm interetested.
I've got a couple of questions regarding security of the approach:
Has a systematic analysis of threats to OpenID been made and published?
Does OpenID require that SSL be used by the consumer site when fetching the
identifier URL? If not, wouldn't that leave the entire sequence of
operations vulnerable to DNS spoofing, etc?
Burt Harris
Microsoft Live Meeting
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20060912/10283131/attachment-0002.htm>
More information about the general
mailing list