[OpenID] OpenID Registering with Google - Securing Discovery

Breno de Medeiros breno at google.com
Fri Dec 17 18:18:10 UTC 2010 

Note that the Google discovery endpoints are SSL-only. I suggest you
configure your SSL client with a trusted set of CA's and configure it for
hard fail if the SSL handshake negotiation does not complete successfully.

On Fri, Dec 17, 2010 at 09:24, Sam Barber <Sam.Barber at thomsons.com> wrote:

>  Hi all,
>
>
>
> I've been working on intergrating OpenID into our web application
>
> using DotNetOpenAuth.
>
>
>
> Our application only needs OpenID authentication and doesn't
>
> communicate with any other google services through OAuth. Reading
>
> through the Google documentation for OpenID it seems that the
>
> Registering of an application and exchange of Keys is only available
>
> for OAuth requests to Google Services and not OpenID.
>
>
>
> Firstly, is my understanding of this correct?
>
>
>
> If so, is there not a security risk of the Discovery of the Google
>
> EndPoint being compromised by a man-in-the-middle attack when only
>
> using OpenID?
>
>
>
> The only information I have found on defending against this type of
>
> attack is that the XRDS needs to be signed in order to confirm you are
>
> receiving a valid endpoint, which doesn't seem to be an option with
>
> Google OpenID.
>
>
>
> Any corrections or pointers would be much appreciated,
>
>
>
> Cheers,
>
> Sam B
>
>  <http://www.thomsonsonlinebenefits.com/>
>
>  Sam Barber
> *Graduate Developer*
>   Thomsons Online Benefits M: Gordon House T:  10 Greencoat Place E:
> Sam.Barber at thomsons.com London SW1P 1PH W: www.thomsons.com
>
>
>
>  <http://www.thomsonsonlinebenefits.com/>
>
>  Sam Barber
> *Graduate Developer*
>   Thomsons Online Benefits M: Gordon House T:  10 Greencoat Place E:
> Sam.Barber at thomsons.com London SW1P 1PH W: www.thomsons.com
>
>
>
> This message has been scanned for malware by Websense. www.websense.com
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>


-- 
--Breno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20101217/a35f5753/attachment.html>

More information about the general mailing list