[OpenID] What are openids weaknesses?

Peter Williams pwilliams at rapattoni.com
Sun Sep 2 01:57:00 UTC 2007 

Hmm. Lets rewrite that and create a compare/contrast situation. Let's
see what information we can infer from the comparison.

As Len Baurie in a piece called "SAML: Phishing Heaven" notes: "The SAML
SP-initiated WebSSO people [have] defined a SP-Redirect binding that has
to be the second worst I've ever seen from a phishing point of view. I
just persuade you to go anywhere at all, say my lovely site of poodle
photos, and get you to log in typing your your IDP (as a URL). Following
the protocol, I find out where your provider is (i.e. the site you log
in to prove you really control an account at that IDP), but instead of
sending you there (because, yes, SP-initiated SP-Redirect works by
having the site you're logging in to send you to your provider) I send
you to my fake provider, which then just proxies the real provider,
stealing your login as it does. I don't have to persuade you that I'm
anything special, just someone who wants you to use SAML, as the
designers hope will become commonplace, and I don't have to know your
provider in advance. So, I can steal login credentials on a massive
basis without any tailoring or pretence at all! All I need is good
photos of poodles."

The basic claim in the argument is that openid is crap on the grounds of
the flow.

Does it there follow as true that saml is similarly crap because of it
offers the identical flow?

What element is missing in the original argument - that undermines its
validity?

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]
On
> Behalf Of Eric Norman
> Sent: Saturday, September 01, 2007 6:14 PM
> To: OpenID List
> Subject: Re: [OpenID] What are openids weaknesses?
> 
> 
> On Sep 1, 2007, at 2:38 PM, Patrick Aljord wrote:
> 
> > Hey all,
> > I'm doing a presentations and I need a little more information about
> > OpenId weaknesses and how they are being addressed.
> > I know there is this draft to fight against phishing:
> > http://openid.net/specs/openid-provider-authentication-policy-
> > extension-1_0-01.html
> >
> > If you have other links or information, please sent it.
> 
> There's the now infamous "slam piece" by Stefan Brands.
> 
>     http://www.idcorner.org/?p=161
> 
> Eric Norman
> http://ejnorman.blogspot.com
> 
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list