[security] Gathering requirements for in-browser OpenID support

[Joaquin Miller]

>Besides - and the most important thing really - there's no such 
>thing that *I've* ever heard of that *can* be put into any protocol 
>to prevent MitM attacks from succeeding.  If user A doesn't check 
>their URL says site B when user A thinks they're on site C - then 
>site B can merely proxy anything site C puts up, stealing whatever 
>they want in the process.

I trust the security experts are enjoying the fine weather this 
weekend.  I know I should wait for one of them to respond to this, 
but... golly gee, whillikers!

Use of a public key known to be authentic prevents man in the middle 
attacks from succeeding.

Cordially, Joaquin



(p.s. Please don't anyone identify use of public/private key pairs 
with whatever they are calling "PKI.")
(p.p.s.  Notice: All I claim above is: Use of a public key known to 
be authentic prevents man in the middle attacks from succeeding.)
(p.p.p.s If I'm wrong on this , let's wait until one of the experts 
corrects me.)
(p.p.p.p.s  Yes, if you want to nail me now, I'm wrong; for example: 
http://www.schneier.com/paper-chosen-protocol.pdf .)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20061029/d8568a34/attachment-0002.htm>