[OpenID] OpenID Providers Invited to Join in an NSTIC Pilot Proposal
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Tue Feb 14 10:55:40 UTC 2012
On 02/14/2012 06:46 AM, From Francisco Corella:
> I guess you mean that if the relying party downloads a certificate in
> the body of an HTTP response with a content-type header whose value is
> a MIME type indicating that the body contains a certificate, and if
> Firefox "finds a valid key pair" then Firefox will import the
> certificate automatically. Did I guess right?
Yes.
> Well, depending on the details, that could be a security hole. If the
> valid key pair that Firefox finds consists of the publick key in an
> existing certificate and the associated private key, Firefox could end
> up replacing the existing certificate with one downloaded by an
> attacker that binds the public key to the attacker's identity.
No, if an attacker could do that it'd be too late anyway, then he
probably could impersonate the entire internet. "Finding" a public key
that would match a private key is kind of impossible (with sufficient
key size). But I'm not sure if this is the right forum for such crypto
stuff.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20120214/529f476d/attachment.html>
More information about the general
mailing list