[OpenID] BlackHat presentation on OpenID

Peter Williams pwilliams at rapattoni.com
Mon Sep 10 08:52:47 UTC 2007 

Yes, its easy to fix OpenID.

But there is no point till it has the architecture and community
dynamics that will allow it to play the role is it destined for.

Don't forget, Bob was also the architect of:  PKI : How to make it
become an enforcement system for mandatory key escrow. Know where his
objectives ultimately lie, when he gives counsel.


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net]
On
> Behalf Of Norman Gray
> Sent: Monday, September 10, 2007 1:16 AM
> To: general at openid.net
> Subject: [OpenID] BlackHat presentation on OpenID
> 
> 
> Greetings.
> 
> I haven'ts seen this appear on the list yet (apologies if I've missed
> it).
> 
> Bob Blakley at the Burton Group produced a blog post on `What is
OpenID
> for?'[1], which asks a number of useful questions (with the aim of
> getting
> the horse explicitly back before the cart), and points to a couple of
> discussions about OpenID security.  In particular, it points towards
> a BlackHat disussion of OpenID security weaknesses[2], which lists an
> alarming number of weaknesses, but ends on a note of qualified
> optimism:
> 
>     Whilst this p
[Peter Williams] 
aper has presented a number of attacks against OpenID,
>     it still remains the only viable option for the Internet-wide SSO
>     system.  Some of the attacks presented are either partially solved
>     already or can be solved with relative ease.  Other attacks such
as
>     phishing and the redirect attack require further thought.  However
>     it is our b
[Peter Williams] 
elief that OpenID can be made secure.
> 
> Norman
> 
> 
> [1] http://srmsblog.burtongroup.com/2007/09/what-is-openid-.html
> [2] https://www.blackhat.com/presentations/bh-usa-
> 07/Tsyrklevich/Whitepaper/bh-usa-07-tsyrklevich-WP.pdf
> 
> --
>
-----------------------------------------------------------------------
> ----
> Norman Gray  /  http://nxg.me.uk
> eurovotech.org  /  University of Leicester
> 
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list