[OpenID] OpenId Association Timeout Recommendations
Hans Granqvist
hgranqvist at verisign.com
Wed Feb 7 19:08:57 UTC 2007
Aswath Rao wrote:
> I would like to know whether your point regarding the vulnerability of
> Direct verification still holds if we use Cardspace as it was announced
> earlier in the day. This is relevant for the application where we use
> OpenID as the identifier for SIP sessions.
It's unclear to me how or on what level Cardspace will integrate
with OpenID, so I cannot respond just yet, sorry!
I know being a MITM is not necessarily as easy in practice as
in theory, but the direct verification step of OpenID is
too fragile regardless of identity mechanism.
-Hans
More information about the general
mailing list