[security] OpenID for High Security?
Josh Hoyt
josh at janrain.com
Tue Feb 20 23:51:09 UTC 2007
On 2/20/07, Phil Kulak <pkulak at gmail.com> wrote:
> Whitelisting would be an option, but I'm not sure I like it. The most
> secure identity provider can be the one hosted on your own box, so it
> seems a little odd that those are the ones I wouldn't allow. Do you
> mean that I could set up some kind of click-through and have it show
> up only if the user's IP is not on the whitelist? That could be an
> option.
I was suggesting that you whitelist OpenID providers, and show the
click-through if the user has an OP that is not on the whitelist,
since you don't know anything about that provider.
It won't be very common that an OP can be hosted on a person's own
computer, since an OP needs to be reachable by the relying party (for
association or check_authentication) and most people's computers are
behind a firewall or at least don't have static IPs.
Josh
More information about the security
mailing list