[OpenID] Password age and password reset
Peter Williams
pwilliams at rapattoni.com
Thu May 14 03:03:19 UTC 2009
Follow the general rule in cryptosystem design: dont release (crypto) management signals to your enemy in the clear. Management signals -- such as auth infomation -- are typically the point at which one finds the chink in the armor with which to break the key management, the issuing number sequencing, the operational procedures ...and thereby degrade the strengh of the hash cipher... or predict a secret or reveal base keying material.
Keep openid as a websso protocol, asserting claims and releasing attributes. Don't try to turn it into an eap, trying to remotely provision/manage keying material or secrets.
________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of SitG Admin [sysadmin at shadowsinthegarden.com]
Sent: Wednesday, May 13, 2009 7:46 PM
To: Breno de Medeiros
Cc: general at openid.net
Subject: Re: [OpenID] Password age and password reset
>In what I am proposing the transfer is intermediated by the browser,
>so not covert.
A clever (and even marginally skilled) attacker will have all
redirects intercepted and waiting on their approval; if they can
learn of the RP's suspicion *and* block the OP from learning about
it, the transfer would be worse than useless: it would only serve to
annoy legitimate users.
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list