[OpenID] OpenID Registering with Google - Securing Discovery
Sam Barber
Sam.Barber at thomsons.com
Fri Dec 17 17:24:54 UTC 2010
Hi all,
I've been working on intergrating OpenID into our web application
using DotNetOpenAuth.
Our application only needs OpenID authentication and doesn't
communicate with any other google services through OAuth. Reading
through the Google documentation for OpenID it seems that the
Registering of an application and exchange of Keys is only available
for OAuth requests to Google Services and not OpenID.
Firstly, is my understanding of this correct?
If so, is there not a security risk of the Discovery of the Google
EndPoint being compromised by a man-in-the-middle attack when only
using OpenID?
The only information I have found on defending against this type of
attack is that the XRDS needs to be signed in order to confirm you are
receiving a valid endpoint, which doesn't seem to be an option with
Google OpenID.
Any corrections or pointers would be much appreciated,
Cheers,
Sam B
Sam Barber
Graduate Developer
Thomsons Online Benefits, Gordon House, 10 Greencoat Place, London, SW1P 1PH
, T: , E: Sam.Barber at thomsons.com, W: www.thomsons.com
Sam Barber
Graduate Developer
Thomsons Online Benefits, Gordon House, 10 Greencoat Place, London, SW1P 1PH
, T: , E: Sam.Barber at thomsons.com, W: www.thomsons.com
This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101217/5898c663/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 12769 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101217/5898c663/attachment.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 12769 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101217/5898c663/attachment-0001.jpe>
More information about the general
mailing list