[OpenID] 2-Headed OpenID Auth for Increased Security?
Peter Williams
pwilliams at rapattoni.com
Sun Nov 30 17:56:42 UTC 2008
Time to take the extension power of XRDS, and apply xmldsig "detached signature(s)"
This would be using similar mechanism as used in Authenticode, where designers applied 3rd-party countersigning and 4th-party timestamping to solve validity problems - at internet scale. Different parties (OP, discovery agents, validation) can then cooperate, in the inherently suspicious world of open systems.
The Shib/Apache-xmltooling toolset has all the mechanisms required to make power-use of the flexibility of the xmldsig standard (as do many other tools). Being very, very flexible in its references, it's easy to screw up application of xmldsig, producing unwanted sideeffects tho.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Eric Norman
Sent: Sunday, November 30, 2008 9:50 AM
To: OpenID List
Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
> I like the idea.... but the XRDS would have to mandatorily not be
> hosted by either OP (which right now is commonly done), since that OP
> would still ultimately have total assertion power by temporarily
> manipulating the XRDS file to point to two OP endpoints that were both
> controlled by the evil party.
Be careful. "Hosted by" does not necessarily imply "content
controlled by".
Eric Norman
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list