<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w="urn:schemas-microsoft-com:office:word"><head><META content="text/html; charset=utf-8" http-equiv="Content-Type">
<STYLE><!-- /* Style Definitions */ p.730d4622-0455-4950-8104-0164f3c9dd6f, li.730d4622-0455-4950-8104-0164f3c9dd6f, div.730d4622-0455-4950-8104-0164f3c9dd6f, table.730d4622-0455-4950-8104-0164f3c9dd6fTable {margin:0cm; margin-bottom:.0001pt;}div.Section1 {page:Section1;}--></STYLE>
<META content="text/html; charset=utf-8" http-equiv="Content-Type">
<STYLE><!-- /* Style Definitions */ p.3a15b322-1bb6-4847-8fd7-c80e82d15f43, li.3a15b322-1bb6-4847-8fd7-c80e82d15f43, div.3a15b322-1bb6-4847-8fd7-c80e82d15f43, table.3a15b322-1bb6-4847-8fd7-c80e82d15f43Table {margin:0cm; margin-bottom:.0001pt;}div.Section1 {page:Section1;}--></STYLE>
<META content="text/html; charset=utf-8" HTTP-EQUIV="Content-Type"><meta content="Microsoft Word 14 (filtered medium)" name=Generator><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><META content="text/html; charset=utf-8" http-equiv="Content-Type">
<META content="text/html; charset=utf-8" http-equiv="Content-Type">
</head><BODY>
<P CLASS="730d4622-0455-4950-8104-0164f3c9dd6f">
<P CLASS="3a15b322-1bb6-4847-8fd7-c80e82d15f43"><div class=WordSection1><p class=MsoNormal>Hi all,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I've been working on intergrating OpenID into our web application<o:p></o:p></p><p class=MsoNormal>using DotNetOpenAuth.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Our application only needs OpenID authentication and doesn't<o:p></o:p></p><p class=MsoNormal>communicate with any other google services through OAuth. Reading<o:p></o:p></p><p class=MsoNormal>through the Google documentation for OpenID it seems that the<o:p></o:p></p><p class=MsoNormal>Registering of an application and exchange of Keys is only available<o:p></o:p></p><p class=MsoNormal>for OAuth requests to Google Services and not OpenID.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Firstly, is my understanding of this correct?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If so, is there not a security risk of the Discovery of the Google<o:p></o:p></p><p class=MsoNormal>EndPoint being compromised by a man-in-the-middle attack when only<o:p></o:p></p><p class=MsoNormal>using OpenID?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The only information I have found on defending against this type of<o:p></o:p></p><p class=MsoNormal>attack is that the XRDS needs to be signed in order to confirm you are<o:p></o:p></p><p class=MsoNormal>receiving a valid endpoint, which doesn't seem to be an option with<o:p></o:p></p><p class=MsoNormal>Google OpenID.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any corrections or pointers would be much appreciated,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Cheers,<o:p></o:p></p><p class=MsoNormal>Sam B<o:p></o:p></p></div></P>
<P CLASS="3a15b322-1bb6-4847-8fd7-c80e82d15f43">
<P><A HREF="http://www.thomsonsonlinebenefits.com/"></A></P>
<P><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1"></FONT></P>
<P><FONT FACE="Arial"><FONT COLOR="#7f7f7f" SIZE="1"><IMG ALIGN="baseline" ALT BORDER="0" HSPACE="0" SRC="cid:image9c3b39.jpg@b3f8d0c4.ba1d4d83"></FONT></FONT></P>
<P><FONT FACE="Arial"><FONT COLOR="#7f7f7f" SIZE="1">Sam Barber</FONT><BR><FONT COLOR="#ff9933" SIZE="1"><STRONG><SPAN STYLE="FONT-SIZE: 8pt; COLOR: #db0962; FONT-FAMILY: 'Arial','sans-serif'; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-GB; mso-fareast-language: EN-GB; mso-bidi-language: AR-SA">Graduate Developer</SPAN></STRONG></FONT></FONT></P>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="400">
<TBODY>
<TR>
<TD WIDTH="175"><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">Thomsons Online Benefits</FONT></TD>
<TD WIDTH="225"><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">M:</FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">Gordon House</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">T: </FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">10 Greencoat Place</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">E: Sam.Barber@thomsons.com</FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">London SW1P 1PH</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">W: <A HREF="http://www.thomsons.com/">www.thomsons.com</A></FONT></TD></TR></TBODY></TABLE>
<P></P>
<P></P> </P></P>
<P CLASS="730d4622-0455-4950-8104-0164f3c9dd6f"> </P>
<P CLASS="730d4622-0455-4950-8104-0164f3c9dd6f">
<P><A HREF="http://www.thomsonsonlinebenefits.com/"></A></P>
<P><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1"></FONT></P>
<P><FONT FACE="Arial"><FONT COLOR="#7f7f7f" SIZE="1"><IMG ALIGN="baseline" ALT BORDER="0" HSPACE="0" SRC="cid:imagea7f853.jpg@e1d5eef8.df5d4d22"></FONT></FONT></P>
<P><FONT FACE="Arial"><FONT COLOR="#7f7f7f" SIZE="1">Sam Barber</FONT><BR><FONT COLOR="#ff9933" SIZE="1"><STRONG><SPAN STYLE="FONT-SIZE: 8pt; COLOR: #db0962; FONT-FAMILY: 'Arial','sans-serif'; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-GB; mso-fareast-language: EN-GB; mso-bidi-language: AR-SA">Graduate Developer</SPAN></STRONG></FONT></FONT></P>
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0" WIDTH="400">
<TBODY>
<TR>
<TD WIDTH="175"><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">Thomsons Online Benefits</FONT></TD>
<TD WIDTH="225"><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">M:</FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">Gordon House</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">T: </FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">10 Greencoat Place</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">E: Sam.Barber@thomsons.com</FONT></TD></TR>
<TR>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">London SW1P 1PH</FONT></TD>
<TD><FONT COLOR="#7f7f7f" FACE="Arial" SIZE="1">W: <A HREF="http://www.thomsons.com/">www.thomsons.com</A></FONT></TD></TR></TBODY></TABLE>
<P></P>
<P></P> </P><br><br>
<P align=center><FONT style="BACKGROUND-COLOR: #ffffff">This message has been scanned for malware by Websense. </FONT><A href="http://www.websense.com/"><FONT style="BACKGROUND-COLOR: #ffffff" color=#000000>www.websense.com</FONT></A></P>
</body></HTML>