[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Andrew Arnott
andrewarnott at gmail.com
Sat Jan 3 05:04:52 UTC 2009
As Peter said, RPs can already do whitelists/blacklists. And DotNetOpenId
in particular makes a web.config file very easily include these
whitelist/blacklists that can allow RPs to be selective about which OP
endpoints they'll permit. This config file can also enable the RequireSsl
mode that I've explained earlier.
As far as a config file that modifies that web server's approved CA list,
it's definitely an interesting idea. But be aware that doing this is a
privileged operation in .NET, and that makes it impossible to do any special
HTTPS cert approval on shared hosting on which only partial trust is allowed
to the sites that run on them.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Fri, Jan 2, 2009 at 10:10 AM, Peter Watkins <peterw at tux.org> wrote:
> On Fri, Jan 02, 2009 at 11:08:39AM +0200, Martin Paljak wrote:
>
> > In real life most end user software do not check for the status of a
> > certificate (CRL/OCSP)
>
> I suspect that claim is not true. IE7 on Vista and Firefox 3 default
> to using OCSP -- for instance, by the time I followed the recipe for
> the www.mozilla.com demo of the cert that never should've been issued,
> Firefox 3's OCSP check rejected it.
>
> > I second here the questions often raised about CA-s by Peter Williams,
> > but the community has managed to subtly ignore the topic. "If there is
> > a problem (which we don't believe there is) then this is for the PKI/
> > TLS/HTTPS guys to fix", "Just pay to a big company for your certs",
> > "Apparently we use whatever CA certificates Debian uses" are all signs
> > of delegating the problem somewhere else.
>
> And why not delegate? TLS is a bedrock security technology for current
> Web business -- from a simple Yahoo storefront to millionaires accessing
> their online brokerage accounts. A lot of business have a lot riding on
> TLS and https, and a lot of incentive to fix any problems. And we've seen
> them do just that. It's not perfect (I'm still peeved that Microsoft has
> effectively blocked attempts to give TLS RSA decent forward secrecy), but
> TLS is widely understood to be critically important, and people more
> influential than us, and smarter than me, are working on this stuff -- the
> improved OCSP support in Firefox and IE7 being a good illustration.
>
> > In addition to "lets just do what everybody else is doing" OpenID
> > could provide additional mechanisms. I once suggested having a
> > separate configuration file and format for RP libraries to be able to
> > configure white/blacklists and OP certificates/CA-s checksums and
> > trust settings.
>
> Nothing is stopping any RP from doing that. Shoot, that's what Microsoft's
> HealthVault site has been doing for OpenID all along.
>
> -Peter
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/6bedf567/attachment-0002.htm>
More information about the general
mailing list