<HTML><BODY>
<div>Who said anything about setting up a fake OP? I'm talking about putting a proxy in front of either the RP or the OP (exactly the situation that applies when modifying the direct verfication).<br>
<br>
The proxy has to work only slightly harder, by modifying "associate" request/responses (directly between RP and OP) and assertions delivered from the OP to the RP by way of the browser.<br>
<br>
Please read the security section of the spec again. The protocol relies on DNS and the security of the transport. That's it. That's what makes it easy to deploy.<br>
<br>
Terry<br>
</div>
<div> </div>
<br>
-----Original Message-----<br>
From: hgranqvist@verisign.com<br>
To: thayes0993@AOL.COM<br>
Cc: security@openid.net<br>
Sent: Wed, 14 Feb 2007 9:54 AM<br>
Subject: Re: [security] MITM attacks on OpenID direct verification and association<br>
<br>
<div id="AOLMsgPart_0_7b723eff-8306-4b5a-a0b4-fc828da3981e" class="AOLPlainTextBody">
<pre><tt><a href='javascript:parent.ComposeTo("thayes0993%40AOL.COM", "");'>thayes0993@AOL.COM</a> wrote:
> In short, associations are useful for reducing the cost of verifying
> assertions by allowing the verification to be performed by the RP.
> However they do not add to the resistance to MITM attacks.
So you found it as easy to set up a fake OP as it is to proxy-change
a DV 'no' to 'yes' down-stream?
I bet you didn't. And that complexity difference is the added
resistance.
-Hans
_______________________________________________
security mailing list
<a href='javascript:parent.ComposeTo("security%40openid.net", "");'>security@openid.net</a>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a>
</tt></pre>
</div>
<!-- end of AOLMsgPart_0_7b723eff-8306-4b5a-a0b4-fc828da3981e -->
<div class="AOLPromoFooter">
<hr style="margin-top:10px;" />
<a href="http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol" target="_blank"><b>Check out the new AOL</b></a>. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.<br />
</div>
</BODY></HTML>