[security] Gathering requirements for in-browser OpenID support
Joaquin Miller
joaquin at netmesh.us
Wed Nov 1 15:12:18 UTC 2006
>Browsers cannot do asymmetric cryptography out of the context of the
>site you're visiting, so I think "us doubters" might have a valid point
Don't get me wrong, folks.
This sentence:
It may help those doubters if we now briefly explain how EKE
accomplishes a) and b).
was not aimed at the doubters.
In any case, there is nothing at all wrong with doubting; it helps
and is to be commended.
All I meant was that it may help if we now briefly explain how EKE
accomplishes a) and b). Help me,* help the very valuable doubters,
and help anyone else interested.
It turns out, of course, that some of us, myself included, missed the
point of the question.
I look forward to a happy future when browser technology 1) stores
public key/URL pairs, as Firefox now stores user+password/URL pairs
and 2) either handles the authentication (while using SSL encryption)
or handles public key encryption, too, as Thunderbird now does.
Cordially, Joaquin
* I don't see how any negotiated authentication or negotiated
encryption key can help against the man in the middle, without some
data being passed in another channel (quite possibly in the clear).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061101/3552dc1f/attachment-0002.htm>
More information about the security
mailing list