[security] DNS poisoning versus CA issues
Josh Hoyt
josh at janrain.com
Wed Oct 25 23:09:55 UTC 2006
On 10/25/06, Dan Lyke <danlyke at flutterby.com> wrote:
> At this point I've fairly well convinced myself that there's nothing
> to be lost if anything in the OpenID process (except however the User
> authenticates with the Identity Provider, but we've already mentioned
> that that's not the purview of the OpenID spec) gets sniffed.
There are a couple of places where eavesdropping is significant. There
is a section in the draft specification [1] about this.
Josh
1. http://openid.net/specs/openid-authentication-2_0-10.html#anchor45
More information about the security
mailing list