[OpenID] [LIKELY_SPAM]Re: Problems with delegation and directed identity OPs
Deron Meranda
deron.meranda at gmail.com
Thu Nov 6 20:39:21 UTC 2008
On Thu, Nov 6, 2008 at 2:53 PM, John Bradley <john.bradley at wingaa.com> wrote:
> I will also observe that most people who use delegation are not protecting
> there discovered meta-data with ssl certs.
> That is the biggest security problem with delegation.
Yes, I agree. I'm still just playing with it, but I was pretty sure
that security could be compromised if SSL wasn't used during
delegation discovery.
Even then, it seems that some RPs don't really do SSL correctly;
they don't completely validate the SSL certificates against a
trusted list of root CAs. So if self-signed SSL certs don't raise
any warnings; then SSL is sort of compromised anyway.
It's things like this that really need to get documented.
--
Deron Meranda
More information about the general
mailing list