[OpenID] Fwd: OpenID Spoofing

Dmitry Shechtman damnian at gmail.com
Sun Jan 21 18:23:43 UTC 2007

Currently sites with "bad" certs are more secure than good ones, because the
approve-this-bad-cert dialog will come up and you can verify that its the
same bad
cert as last time :) 



Here's a crazy idea: what if the OP used such a "bad cert"?


E.g. MyOpenID.com could use JanRain's cert. This way all users would get a
chance to inspect the cert (and also get to know the company behind the OP
by the way).






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070121/a7f01146/attachment-0001.htm>

More information about the general mailing list