[security] [OpenID] OpenID/Debian PRNG/DNS Cache poisoning advisory
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Aug 8 21:37:06 UTC 2008
Peter Williams:
> It did seem strange that openid was singled out. The publicity will be only beneficial, however. Openid had no pretentions to grandeur in the higher assurance arena, of course. Now it getting more relevant, of course increasing relevancy now begs the question: should that stance continue? Who wants to rely on openid for blog spamming protection or antiphishing (both claims made about openid) if they don't really work!
>
Well, there is one thing which has been raised in the past - including
myself...OpenID OPs lack any policy statements - auditing and general
responsibility requirements and adherence to standards. Yes, this smells
like PKI, but in my opinion something has to be done to strengthen the
standard and higher the barrier of entry. Relying on anybodies OP is
simply not in the cards...and as this example shows, a governing body
could have potentially prevented OPs from using weak keys (once it was
disclosed) and would potentially solve other problematic practices. It
would make OpenID reasonable secure! It would allow Yahoo and others to
rely on such approved providers, making OpenID really useful.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7327 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20080809/6294d295/attachment-0002.bin>
More information about the security
mailing list