[OpenID] Fwd: [OpenID Foundation] New Poll Opened
SitG Admin
sysadmin at shadowsinthegarden.com
Fri Mar 20 18:19:01 UTC 2009
>StartSSL, MyopenID, and Verisign will all issue you with a
>certificate that you can or in one case must use to authenticate
>yourself to your OP. This is a free service of all three OPs, just
>to cut off the cost of certs argument people are formulating:)
To repeat, cost of certs is not merely monetary - for example, if an
authority requires you to send them your personal information so you
can register for their "free" service, this is a cost (even if it's
one you wouldn't mind paying).
Imagine a hotel manager advertising "free rooms" - except, when
guests arrive, they are told they'll need to trade sexual favors each
night they stay there. It's not money, so it's still a "free" room,
technically. Right?
>Some people would claim OTP tokens to be unphishable.
>http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.html
>
>Without some sort of PK infrastructure OTP tokens are not. end of argument.
There are timing-based defenses (with multiple OTP's) that can be
substituted. The problem is, most users don't want to take 5 minutes
logging in.
-Shade
More information about the general
mailing list