[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)
Martin Paljak
martin at paljak.pri.ee
Sat Jan 3 08:46:27 UTC 2009
On 03.01.2009, at 5:12, Jorgen Thelin wrote:
> The Microsoft Root Program lists the details and requirements for
> the Microsoft Root Certificate Program.
>
> The MS Root Program attempts to establish a minimum baseline for PKI-
> based security -- to at least warn Windows / IE users before that
> make some obviously bad decisions around SSL trust – such as warning
> users before they access sites that use certificates with known weak
> hash algorithms.
I don't know exactly how the warning look like, but if they are
similar in nature to "there is a problem with this website's
certificate" which allow to either go away or bypass the invalid page,
they serve no real purpose.
End user has only passive trust decisions (agree with possibilities or
run away and close windows in fear) but no proactive ways of dealing
with those "error scenarios" in a meaningful way. Technical issues
like md2 and Microsoft made trust decisions (unlisted CA) are two
different things to what the user should react differently.
> You can see the technical requirements for CAs in the above
> document that are used by any browsers running on Windows.
Browsers, which use win32 APIs to do their SSL business. AFAIK Firefox
does not bridge to windows cert store (yet) nor cryptoapi.
>
> “Identity is easy, but Trust is hard!”
True.
Leaving browsers and coming back to OpenID, I would like to propose to
set some common SSL related best practices for public RP-s in stage 1
and in stage 2 make it easy for admins and integrators by trying to
bring the SSL related tunables into a API config file or something
similar. At least make the problem, solutions and related variables
visible.
m.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
More information about the general
mailing list