[OpenID] security weakness regarding authentication of the relying party
Peter Vereshagin
peter at vereshagin.org
Tue Jan 18 22:29:26 UTC 2011
Happiness lies in your own hand, Paul!
2011/01/18 15:45:29 -0500 "Paul E. Jones" <paulej at packetizer.com> => To fcorella at pomcor.com :
PEJ> 1) TLS certificates are still more expensive than they ought to be.
I use Nossa for authentication at https://vereshagin.org. It is the second year I use my SSL certificate ( signature service ) for free.
The CA in question is included as authoritative in the Mozilla's and Microsoft's CAs distributions.
I have no idea yet if another major players, Google and Apple at the least, are in for this, too. I have no access to their *wares in my (concrete) jungle :)
The question may be the IP address price though. Dynamic DNS providers may help here. And all-in-one software bundles like xampp/denwer, supplied with OP software onboard.
Acceptance of a CA can be a question for RPs, too. Should PP use a CA storage bundled within their OS for direct interactions with RPs, or OpenID standard should have its own recommended CAs list for this?
In general case those lists can be different hence RP and OP are different hosts.
PEJ> 3) Many client libraries still do not support SNI, including those running OpenID RP code. The stock browser on Android and other browsers do not support SNI.
"Ain't it a shame" (c) Curt Cobain :)
73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627)
--
http://vereshagin.org
More information about the general
mailing list