[OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11

Ben Laurie benl at google.com
Mon Jan 22 15:36:44 UTC 2007

On 1/22/07, Hallam-Baker, Phillip <pbaker at verisign.com> wrote:
> > [mailto:specs-bounces at openid.net] On Behalf Of Ben Laurie
> > More importantly, I think I have a solution that will make
> > both of us happy, but I now have to go and ride my motorbike
> > fast, so I'll detail it later.
> Now there is an exit line to tempt the Gods.
> The only way that I can see that you are going to circumvent an attempt using existing browser capabilities is to introduce a malicious login page is through use of some form of shared secret such as a picture of a cuddly animal chosen by the user or Secure Letterhead.

How is this kind of shared secret a defence against a MitM?

> Letterhead requires a browser upgrade so it breaks the 'existing capabilities' constraint.
> If you change the browser you might as well really change the browser and use a strong authentication mechanism based on PKI

I'm sure you meant to say "based on asymmetric cryptography".

> I think we need to take another look at the 'change the browser' case and make sure that we can take full advantage if the browser is changed.

Damn straight.

More information about the general mailing list