<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR><!-- converted from rtf -->
<STYLE>.EmailQuote {
PADDING-LEFT: 4pt; MARGIN-LEFT: 1pt; BORDER-LEFT: #800000 2px solid
}
</STYLE>
</HEAD>
<BODY>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=127431116-12092006></SPAN><FONT face=Arial><FONT
color=#0000ff><FONT
size=2>SSL doesn't protect against DNS Poisoning<SPAN
class=127431116-12092006>/spoofing/pharming or whatever you want to call
it.</SPAN> <SPAN class=127431116-12092006> </SPAN>SSL<SPAN
class=127431116-12092006> protects against spoofing only if
people turn on revokation checking AND no-one uses self-signed
certs(self-signed certs are counterproductive when trying to create trust),
otherwise
it</SPAN> would only protect against data being <SPAN
class=127431116-12092006>eavesdropped on</SPAN>.<SPAN
class=127431116-12092006> </SPAN><SPAN class=127431116-12092006>DNSSEC is
the way to protect against DNS spoofing. </SPAN><SPAN
class=127431116-12092006></SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT><BR></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> general-bounces@openid.net
[mailto:general-bounces@openid.net] <B>On Behalf Of </B>Granqvist,
Hans<BR><B>Sent:</B> Tuesday, September 12, 2006 11:08 AM<BR><B>To:</B> Burt
Harris<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> RE: OpenID security
questions<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2>Burt,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2>I just posted a proposal to <A
href="mailto:specs@openid.net">specs@openid.net</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2>Thanks,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2>Hans</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=431250716-12092006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> general-bounces@openid.net
[mailto:general-bounces@openid.net] <B>On Behalf Of </B>Burt
Harris<BR><B>Sent:</B> Monday, September 11, 2006 4:05 PM<BR><B>To:</B>
general@openid.net<BR><B>Subject:</B> OpenID security
questions<BR></FONT><BR></DIV>
<DIV></DIV><FONT face="Arial, sans-serif" size=2>
<DIV>I’ve spent the weekend reading up on OpenID. Very cool, I’m
interetested. I’ve got a couple of questions regarding security of
the approach:</DIV>
<DIV> </DIV>
<DIV>Has a systematic analysis of threats to OpenID been made and
published? </DIV>
<DIV> </DIV>
<DIV>Does OpenID require that SSL be used by the consumer site when fetching
the identifier URL? If not, wouldn’t that leave the entire
sequence of operations vulnerable to DNS spoofing, etc? </DIV>
<DIV> </DIV>
<DIV>Burt Harris</DIV>
<DIV>Microsoft Live Meeting</DIV>
<DIV><FONT face="Times New Roman, serif"
size=3></FONT> </DIV></BLOCKQUOTE></FONT></BODY></HTML>