[OpenID] 2-Headed OpenID Auth for Increased Security?
Eric Norman
ejnorman at doit.wisc.edu
Sun Nov 30 17:50:16 UTC 2008
On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
> I like the idea.... but the XRDS would have to mandatorily not be
> hosted by either OP (which right now is commonly done), since that OP
> would still ultimately have total assertion power by temporarily
> manipulating the XRDS file to point to two OP endpoints that were both
> controlled by the evil party.
Be careful. "Hosted by" does not necessarily imply "content
controlled by".
Eric Norman
More information about the general
mailing list