<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Josh Hoyt wrote:<br>
<blockquote
cite="mid34714aad0610231417y39297c2ev3136ca70d654071@mail.gmail.com"
type="cite">This is indeed a known attack. Can you confirm that the
attack you
<br>
originally described was against the relying party's name resolution?
<br>
</blockquote>
It wasn't the intention, but could have been an option, albeit an
"expensive" one...<br>
<blockquote
cite="mid34714aad0610231417y39297c2ev3136ca70d654071@mail.gmail.com"
type="cite">The shared secret exchange, when it happens over plain
HTTP, is done
<br>
with the Diffie-Hellman key exchange algorithm. This algorithm is not
<br>
vulnerable to sniffing.
<br>
</blockquote>
Yes, I suspected that...So I think it's done always, even in https
mode? Not sure about that one...So SSL would certainly give additional
protection to the whole process. The scary thing about OpenID is, that
once compromised, it allows access without borders, which is the
purpose of OpenID in first place, but also requires the special,
multiple attention on securing <u>everything</u> (including the home
sites). <br>
<blockquote
cite="mid34714aad0610231417y39297c2ev3136ca70d654071@mail.gmail.com"
type="cite">Josh
<br>
</blockquote>
In any case, it seems, that there are some protections in place, which
is really a good sign! So perhaps our announcement of spoofing a
homesite (and RP) was a little bit premature for which I apologize. But
perhaps because of it, we are continuing the exploration and hopefully
contribution to OpenID now and in the future! Cheers!<br>
<br>
<div class="moz-signature">-- <br>
<div><font face="Arial" size="2">Regards</font></div>
<div><font face="Arial" size="2"> </font></div>
<div><font face="Arial" size="2">Signer: Eddy Nigg, StartCom Ltd.</font></div>
<div><font face="Arial" size="2">Phone: +1.213.341.0390</font></div>
</div>
</body>
</html>