[OpenID] Fwd: OpenID Spoofing
damnian at gmail.com
Sun Jan 21 18:23:43 UTC 2007
Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
cert as last time :)
Here's a crazy idea: what if the OP used such a "bad cert"?
E.g. MyOpenID.com could use JanRain's cert. This way all users would get a
chance to inspect the cert (and also get to know the company behind the OP
by the way).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general