Two Identifiers - no caching advantage
Josh Hoyt
josh at janrain.com
Thu Oct 19 19:20:37 UTC 2006
On 10/19/06, Josh Hoyt <josh at janrain.com> wrote:
> when she has control
Sorry that I didn't put this all in one message, but:
I think it's worthwhile to be aware of what might happen in scenarios
where your identifier has been stolen, but it should not have much
bearing on which proposal gets accepted, since the attacker will have
been able to inflict much greater harm elsewhere. I doubt that the
protocol can offer much protection if someone actually gets control of
your identifier.
For instance, some RPs will offer a way to transition an account from
one identifier to another (for e.g. domain names expiring). The
attacker can just transition those accounts to an identifier of hers.
Josh
More information about the specs
mailing list