<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html>
<head>
<meta name="Generator" content="Microsoft Exchange Server">
<style>.EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; }</style>
</head>
<body>
<DIV id=idOWAReplyText64353 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Burt, </FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>We made such an analysis
here at VeriSign and I posted a few emails</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>related to security concerns + proposed
profiles to the old yadis list.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>I will later today or tomorrow follow up to
the <A href="mailto:specs@openid.net">specs@openid.net</A> and</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>ping this <A
href="mailto:general@openid.net">general@openid.net</A> list when that's been
done.</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV>
<DIV dir=ltr><FONT face=Arial size=2>Thanks,</FONT></DIV>
<DIV dir=ltr><FONT face=Arial size=2>Hans</FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> general-bounces@openid.net on behalf of
Burt Harris<BR><B>Sent:</B> Mon 9/11/2006 4:04 PM<BR><B>To:</B>
general@openid.net<BR><B>Subject:</B> OpenID security
questions<BR></FONT><BR></DIV>
<DIV><FONT face="Arial, sans-serif" size=2>
<DIV>I’ve spent the weekend reading up on OpenID. Very cool, I’m
interetested. I’ve got a couple of questions regarding security of
the approach:</DIV>
<DIV> </DIV>
<DIV>Has a systematic analysis of threats to OpenID been made and
published? </DIV>
<DIV> </DIV>
<DIV>Does OpenID require that SSL be used by the consumer site when fetching the
identifier URL? If not, wouldn’t that leave the entire sequence of
operations vulnerable to DNS spoofing, etc? </DIV>
<DIV> </DIV>
<DIV>Burt Harris</DIV>
<DIV>Microsoft Live Meeting</DIV>
<DIV><FONT face="Times New Roman, serif"
size=3></FONT> </DIV></FONT></DIV>
</body>
</html>