[OpenID] Reconsidering http://openid different from https://openid
Paul C. Bryan
email at pbryan.net
Fri Sep 21 15:29:18 UTC 2007
Well put. +1!
If there were general consensus by the OpenID development and deployment
communities that OpenID should be strictly limited to being a
replacement to email verification, I certainly wouldn't quarrel so much
with such attempts at making it more intuitive at the expense of
security.
Paul
On Fri, 2007-09-21 at 08:11 -0500, Christopher St John wrote:
> On 9/20/07, Paul C. Bryan <email at pbryan.net> wrote:
> >
> > I believe the question should be framed around what solution can be
> > (primarily) secure and (secondarily) intuitive.
> >
>
> I think the disconnect is the assumption that OpenID should be secure
> against every conceivable form of attack and appropriate for the most
> sensitive financial transactions.
>
> It's not.
>
> It's a widely applicable but very simple and limited replacement for
> those stupid email verification thingies. As such, it's more important
> that it be intuitive than ultimately secure.
>
> If you need the former, then Oasis has some technology for you. It's
> pointless to try and reinvent it here.
>
> Limiting the scope makes it possible to ignore lots of hard
> problems.
>
> For example, I suspect that the DNS attack is a red herring. If you
> had control of someone's access to DNS you could do much
> evil-er things than mess with their OpenID. And the fact that their
> OpenID is a relatively low-value target (compared to bank logins)
> makes it less likely to be attacked.
>
>
> -cks
>
More information about the general
mailing list