[security] OpenID for High Security?
Phil Kulak
pkulak at gmail.com
Tue Feb 20 23:56:46 UTC 2007
Is the final domain of the IP (what would an "OP" be?) something that
is exposed by your libraries? I ask because it's quite possible that a
user has a delegate set up at their address to point to an IP that
I've whitelisted, but that can't be determined until some redirections
were followed.
On 2/20/07, Josh Hoyt <josh at janrain.com> wrote:
> On 2/20/07, Phil Kulak <pkulak at gmail.com> wrote:
> > Whitelisting would be an option, but I'm not sure I like it. The most
> > secure identity provider can be the one hosted on your own box, so it
> > seems a little odd that those are the ones I wouldn't allow. Do you
> > mean that I could set up some kind of click-through and have it show
> > up only if the user's IP is not on the whitelist? That could be an
> > option.
>
> I was suggesting that you whitelist OpenID providers, and show the
> click-through if the user has an OP that is not on the whitelist,
> since you don't know anything about that provider.
>
> It won't be very common that an OP can be hosted on a person's own
> computer, since an OP needs to be reachable by the relying party (for
> association or check_authentication) and most people's computers are
> behind a firewall or at least don't have static IPs.
>
> Josh
>
More information about the security
mailing list