[OpenID] The HTTPS in the OpenID (Re: Bug in OpenID RP implementations)

[Eric Norman]

On Jan 4, 2009, at 2:36 PM, Peter Williams wrote:

> ·         Now, the suspected compromise of the VeriSign Trust Network 
> (or one of its sub brands, rather)

I mention this just in an attempt to impede the proliferation
of false information about the attack discovered this week.  If
someone thinks further discussion is warranted, please chose an
appropriate forum; this isn't it.

Nobody who understands the attack believes that the Verisign
Trust Network was compromised.  No extant certificates are
believed to be forgeries, nor could they be used to create
forgeries.

>  has just this week  taught lots of folks about PKI features not that 
> well known previously – how to manually configure the URL of the 
> validation service  (OCSP responder), so one can FOR ONESELF run an 
> OCSP server which overrides the status service of the trust network.

Having OSCP configured would do nothing to prevent this attack.

Now, what I really wanted to ask.

> ·         So the idea is, rather than useX.509 cross-certification 
> (where on CA root signs another CAs root), view the private 
> association the RP has with the OP as the means by which a USER 
> “cross-certifies” the certificate/CA being delivered  to the RP in a 
> positive assertion.

So, Peter, would it satisfy your notion of user-centricity if
every user locally reissued all (what some like to call) root
certificates.  I.e. the user replaces the issuer field and
resigns the TBSCertificate part with that user's most trustworthy
private key, namely, the user's own?

Eric Norman