[OpenID] Reconsidering http://openid different from https://openid
Christopher St John
ckstjohn at gmail.com
Fri Sep 21 13:11:37 UTC 2007
On 9/20/07, Paul C. Bryan <email at pbryan.net> wrote:
>
> I believe the question should be framed around what solution can be
> (primarily) secure and (secondarily) intuitive.
>
I think the disconnect is the assumption that OpenID should be secure
against every conceivable form of attack and appropriate for the most
sensitive financial transactions.
It's not.
It's a widely applicable but very simple and limited replacement for
those stupid email verification thingies. As such, it's more important
that it be intuitive than ultimately secure.
If you need the former, then Oasis has some technology for you. It's
pointless to try and reinvent it here.
Limiting the scope makes it possible to ignore lots of hard
problems.
For example, I suspect that the DNS attack is a red herring. If you
had control of someone's access to DNS you could do much
evil-er things than mess with their OpenID. And the fact that their
OpenID is a relatively low-value target (compared to bank logins)
makes it less likely to be attacked.
-cks
--
Christopher St. John
http://artofsystems.blogspot.com
More information about the general
mailing list