[OpenID] security weakness regarding authentication of the relying party

[SitG Admin]

At 11:09 AM -0800 1/18/11, Francisco Corella wrote:
>The first problem is what you say, users may be duped by
>similar-looking domain names.  This may not be a protocol
>error, but it is an exploitable security weakness, and one
>that can be addressed: there are better ways of identifying
>the relying party to the user than a domain name. 

Domain names scarcely have a collision-free namespace as it is! If 
there are two strong, thriving communities at ABC.net and ABC.com, 
the domain names *are* identical in one respect, but neither is about 
to stop calling itself "ABC" or cease being associated with that 
acronym. Shifting away from the protocol-based security check (having 
users pay attention to domain names), while merely transforming how 
the namespace collision problem *looks*, seems to be of limited 
utility - better the devil we've already audited.

At 3:45 PM -0500 1/18/11, Paul E. Jones wrote:
>Let's assume we mandated use of HTTPS.  What are the other issues? 
>I'm still not sure what they are.

It would tie OpenID to a (semi-)centralized(*) system. This could be 
mitigated with a plugin for Web of Trust.

(*Any rogue CA can act freely against all the others' votes, because 
they don't get any.)

-Shade