[OpenID] A couple of questions regarding OpenID...
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Feb 1 00:17:35 UTC 2008
Per Ekström wrote:
>
> My first question is regarding the Phishing attacks that are mentioned
> at Wikipedia [1] - Are they still valid or is it just FUD that has
> been floating around since an old version of the standard?
I guess that's correct, as with anything that uses a user name and
password for authentication. There is no difference of a phishing
attempt of an online banking web site and an IDP, with different results
perhaps. Phishing of banking sites will cost somebody money, whereas
with OpenID it might be used for spamming and identity theft (whatever
that implies).
There are however secure methods for authentication other than user/pass
pairs and OpenID has an draft extension for this:
http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html
>
> And second - While I know Man-In-The-Middle between user and
> OpenID-provider is quite easy to stave off, what about OpenID-provider
> and the website I'm trying to log in to? Whenever man-in-the-middle
> discussion about this appears, it's always in the form of
> User-to-OpenID-Provider, not the other way around.
The RP can require SSL of only known CAs. This should solve this concern
mostly. But the provider will not send the authentication bits in any
case, in most cases only a yes/no/cancel reply.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080201/781da23a/attachment-0002.htm>
More information about the general
mailing list