[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Peter Williams
pwilliams at rapattoni.com
Sat Jan 3 06:26:25 UTC 2009
just that. It's not perfect (I'm still peeved that Microsoft has
effectively blocked attempts to give TLS RSA decent forward secrecy),
[Peter Williams]
There is quite a history to how and when SSL rehandshake is used (so each of n hypermedia sessions gets its own re- run of the SSL3 KDF, conducted under the confidentiality of the initiating "IKE" security context associated with the HTML DOM's own security context ). Certain agencies procuring (very) large number of office systems licenses from both Netscape and Microsoft were rather insistent (in 1998 ish) that rehandshakes per hypermedia connection were limited to session resumes, as opposed to rehandshakes (as in early Netscape).
Use control-N in Netscape vs IE (and refresh the page) you still see relics of the original SSL security concepts for https in a hypermedia, multi-browser instance world. (Study the modern OCSP, too.)
But this is really pretty irrelevant. We have to focus on getting openid discovery a UCI-grade trust management model (addressing discovery endpoint cert registration at RPs and RP affiliations) that breaks free of " use the trust model that works for the _interactive_ browser user". If one is not a security specialist in key management, I know its hard (and boring, compared to the fun of web2.0 GUI and linking). But its critical. Its (security) lazy just to punt to the browser model, or do what the OS does for incoming client certs of hosting https endpoints.
It should be obvious why I generally support the CX proposal - as at least it puts the harder questions back on the table.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090102/b66433eb/attachment-0002.htm>
More information about the general
mailing list