[OpenID] What are openids weaknesses?

Peter Williams pwilliams at rapattoni.com
Sun Sep 2 02:19:06 UTC 2007 

Let's look at another couple of whiners from that cited missive, this
time using analysis.

"On a note related to phishing, Kim Cameron says: "How do I know I am
looking at his web page or talking to his identity provider? By calling
them up on DNS. [...] OpenID is as strong, and as weak, as DNS. In other
words, it is great for transactions that won't attract criminal attack,
and terrible for those that will." Similarly, Tim Anderson remarks: "The
whole OpenID structure hinges on the URL routing to the correct machine
on the Internet. In other words, DNS. Now do some research on DNS
poisoning. Scary."

Cut the crap down to 6 words they are saying: OpenID assumes a secure
name service. 

This is true. AS we have discussed in recent days, it's obviously a
doctrinal element of the security concept contrasting with... that which
we discussed the other day, in relation to RP name discovery)

The same is true with https. Unlike the SSL layer, the https layer
mandates that one will match domain-names determined by reverse lookup
the DNS with common names in certs. And, here of course lay the whole
basis for proxy-based MITM against https (when improperly deployed).

If https can rely upon secure name resolution (and get where it's got,
albeit with many warts in civilian deployments) why should openid not?

Don't forget, cardspace relies on https countermeasures at the end of
the day (today, anyways). 

Tsuch.



> > -----Original Message-----
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> On
> > Behalf Of Eric Norman
> > Sent: Saturday, September 01, 2007 6:14 PM
> > To: OpenID List
> > Subject: Re: [OpenID] What are openids weaknesses?
> >
> >
> > On Sep 1, 2007, at 2:38 PM, Patrick Aljord wrote:
> >
> > > Hey all,
> > > I'm doing a presentations and I need a little more information
> about
> > > OpenId weaknesses and how they are being addressed.
> > > I know there is this draft to fight against phishing:
> > > http://openid.net/specs/openid-provider-authentication-policy-
> > > extension-1_0-01.html
> > >
> > > If you have other links or information, please sent it.
> >
> > There's the now infamous "slam piece" by Stefan Brands.
> >
> >     http://www.idcorner.org/?p=161
> >
> > Eric Norman
> > http://ejnorman.blogspot.com
> >
> >
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list