[security] DNS poisoning versus CA issues
Dan Lyke
danlyke at flutterby.com
Thu Oct 26 17:15:03 UTC 2006
On Wed, 25 Oct 2006 16:09:55 -0700, Josh Hoyt wrote:
> There are a couple of places where eavesdropping is significant.
> There is a section in the draft specification [1] about this.
[snip]
> 1. http://openid.net/specs/openid-authentication-2_0-10.html#anchor45
Yes, and since that section also gives ways for using the protocol in
which eavesdropping is not significant, all of which are up to the
Relying Party, I'm willing to make the simplification that, with
proper implementation, sniffing doesn't matter.
Dan
More information about the security
mailing list