[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research
SitG Admin
sysadmin at shadowsinthegarden.com
Thu Oct 23 20:30:51 UTC 2008
>If I decide to enter georgebush at yahoo.com into an RP and I'm signed in
>as someone else on Yahoo.com, I'll be returned as the currently signed
>in user, regardless of who owns georgebush at yahoo.com.
I'll be awfully suspicious, though, and possibly discriminate against
you on the basis that something fishy is going on there.
>If the complete email address is to be considered verified after the
>flow I just described, I think the protocol is broken.
Before understanding Directed Identity (and its security), I was
implementing a similar check for OpenID's: I compared the URI they
had initially typed in with the claimed_id returned by their OP, and,
if it wasn't the same, I assumed they had found an exploit in their
OP or the protocol. There's nothing that says we have to consider
their original E-mail address to be verified; we can keep track of it
just long enough to compare that value with the claimed address, and
proceed to more paranoid behavior if they don't match.
-Shade
More information about the general
mailing list