[OpenID] Yahoo hijacking?
Peter Williams
pwilliams at rapattoni.com
Sat Apr 19 11:47:26 UTC 2008
Realm discovery has been repeatedly articulated as being necessary on security grounds. Technically, tts a "control system" lightly discussed in such terms since we are all so anti-control, here!
But the topic reflect a more interesting set of issues than merely the internal consistency of the 2.0 protocol. The obligation to do RP discovery is part of the trust signaling apparatus. Similar obligations on consumer to repeat discovery, when an OP changes the form of the claimed id (to a public key say) are not widely understood, I strongly suspect.
The way that openid address trust formation is generally enticing. Its upside down, inside out, and the wrong way round. Therefore, I like it, as these properties mean it can scale. Once bootstrapped with urls, the infrastructure can then all be re-applied to any number of id forms as they emerge. This is an essential feature of an web infrastructure - and a obvious boon to most of its users
_________________________
Peter Williams
From: SitG Admin
Sent: Fri 4/18/2008 6:55 PM
To: Allen Tom; general at openid.net
Subject: Re: [OpenID] Yahoo hijacking?
>This realm discovery feature was added to patch a security hole in
>OpenID 1.1, and is one of the main reasons why Yahoo does not
>support OpenID 1. More details here:
>
>http://openid.net/pipermail/security/2007-February/000241.html
Is this feature exclusive to Yahoo, or is it part of the 2.0 specs?
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080419/7a624074/attachment-0002.htm>
More information about the general
mailing list