<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=434545716-27102006><FONT face=Arial
color=#0000ff size=2>I seem to remember saying that this would happen if
authentication was outside the the scope of the spec.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=434545716-27102006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=434545716-27102006></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> security-bounces@openid.net
[mailto:security-bounces@openid.net] <B>On Behalf Of </B>Eddy Nigg (StartCom
Ltd.)<BR><B>Sent:</B> Friday, October 27, 2006 7:21 AM<BR><B>Cc:</B>
security@openid.net<BR><B>Subject:</B> Re: [security] Who bears the
risk..<BR></FONT><BR></DIV>
<DIV></DIV>Hi All,<BR><BR>I'm glad to announce, that I have installed a new
OpenID Server for anybody to use. This is a supper-trooper and absolutely cool
OpenID server, since it doesn't require you to sign up, register or
anything...Total privacy! You can choose any user name and change the name every
time if you wish, all you have to do, is to provide at LiveJournal or other
blog/forum, a URI like <A class=moz-txt-link-freetext
href="http://123.no-password.com...everyhting">http://123.no-password.com...everyhting</A>
works, no questions asked! You can even choose a user name somebody else used
previously. This is specially interesting, since viagra.no-password.com will
become reusable...<BR><BR>I simply downloaded one of the libraries from the
OpenID web site and removed any authentication checking (patch available), so
that when you have to authenticate with no-password.com the web site simply
post's you back to LiveJournal with is_valid="true". Also I removed the
association for shared secrets with the RP, since there is nothing here to
protect and completely <A
href="http://openid.net/specs/openid-authentication-2_0-10.html#anchor3">optional</A>
according to the specs. This makes no-password.com the fastest OpenID server,
since we don't use SSL and have no need to create the assoc_handle. I'm sure we
gained about 10 milliseconds on this! BTW, did I tell you, that no-password.com
is completely private and anonymous? Any log files created by the server are
directed to /dev/null so that any traces of your visit at no-password.com are
destroyed immediately! This is much better that the PiP offered from Verisign,
since they probably keep log files and make back ups of their databases ;-) and
because according to the specs <I>the IdP establishes whether the End User is
authorized to perform OpenID Authentication and wishes to do so and the manner
in which the End User authenticates to their IdP is beyond the scope of the
OpenID Authentication 2.0 Specifications</I>, all users are authorized at
no-password.com without questions asked. Cool, isn't it?<BR><BR>I'm sure you now
understand how useful the OpenID framework is and you decided to add OpenID
login to your forum immediately. There are no requirements on your part, but you
should....well, really you <A
href="http://openid.net/specs/openid-authentication-2_0-10.html#initiation">should</A>
make a small form at your forum, so the user can enter the no-password.com URI.
It's also recommended that you place the <A
href="http://openid.net/login-bg.gif">OpenID logo</A> at the beginning of the
form field. Well, perhaps you just remove any authentication at your
forum...it's useless anyway...Count on no-password.com to always authenticate
the users of your forum positively!<BR><BR>However, I'm not sure, if I'll keep
no-password.com, since I just bought it and can return the domain within 10 days
without getting charged. Anyway, perhaps I'll get another one
(no-questions-asked.com is free) in ten days....I'll keep you updated on
this!<BR><BR>
<DIV class=moz-signature>-- <BR>
<DIV><FONT face=Arial size=2>Regards</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Signer: Eddy Nigg,
StartCom Ltd.</FONT></DIV>
<DIV><FONT face=Arial size=2>Phone:
+1.213.341.0390</FONT></DIV></DIV></BODY></HTML>