[OpenID] OpenID architecture critiques? Re: Too many providers...
Peter
peterw at tux.org
Wed Sep 17 18:19:46 UTC 2008
Peter Williams <pwilliams at rapattoni.com> wrote:
> Folks in the liberty alliance message (openly and convincingly)
> that openid cannot ever - inherently - be used for any purpose
> requiring "assurance". They point to the undisputed claim that
> the open designers knowingly made design tradeoffs in the crypto
> handshake and security critical securty service composition rules,
> so as to make it all easy to deploy and adopt. Because of this
> precept, openid cannot even *be* fixed (since low assurance is the
> actual goal).
As someone who's moving towards integrating OpenID (RP and OP) into his
employer's web apps, I would very much appreciate URLs to such critiques.
>From what I see, the most glaring problem is that some "major sites" that
act as OPs (Flickr, AOL, etc.) still do not have https:// identity URLs, so
RPs cannot leverage cheap, ubiqitous SSL/TLS PKI to help thwart the more
obvious DNS and MITM/phishing attacks.
BTW, whoever maintains http://openid.net/get/ should probably change the
Yahoo information to "https://me.yahoo.com/" since that works and, unlike
http://openid.yahoo.com/, uses SSL/TLS.
Thanks,
Peter
More information about the general
mailing list