[OpenID] Why spoofing and OpenID look so much alike

[Peter Williams]

So I just half read the document, for the first time (that I recall). Its not 'finalized' - so to date I've ignored it.

Regardless, I'll assume Yahoo OP is using it, irrespective of its draft status.

I'll have to think on this issue of putting time into the model. Time is always a delicate security protocol issue, with sideeffects. One has to note that the nature of the signals is specifically different to the SAML2 equivalent, which is relevant to both IP and prior analysis.

(We have reputable IP indemnities in SAML2, whereas we have none of any value for OpenID2. This is more than half the reason why we use the OpenID2 gateway architecture, that ultimately express all processes in terms standardized by OASIS/SAML2.)


-----Original Message-----
From: SitG Admin [mailto:sysadmin at shadowsinthegarden.com]
Sent: Monday, September 29, 2008 9:05 AM
To: Peter Williams
Cc: general at openid.net
Subject: RE: [OpenID] Why spoofing and OpenID look so much alike

>Should opnenid auth have the mean for a sp to force the op to
>challenge (and thus renew the persisted cookie)?

Related - I've been considering a PAPE proposal for "time since user
last changed credentials" (to be suspicious if the user *just* reset
their password a few minutes ago - and MORE suspicious if you
suddenly get a lot of users in a row whose passwords were recently
reset!). Bad for actual passwords, though, since it could discourage
users from regularly changing it.

So far I haven't proposed it; I'm not sure it belongs in PAPE, even
if it *is* authentication-related and *could* be used to detect
(possible) attackers exploiting sudden E-mail access (or
guessing/sniffing the master password at the OP) to force the user's
password into a state they know.

-Shade