OpenID Email Discovery
Trevor Johns
trevor at tjohns.net
Fri Jan 4 11:07:42 UTC 2008
On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote:
> Fair or not, I am tired of hearing how un-secure DNS, when
> everything we do is based on it, and it being the worlds largest
> working distributed database.
There's a difference between working and secure. For example, email
works great but it's far from secure.
> There is SSL connecting to the provider that is being refereed from
> the srv/txt field. Which is no different than what you are
> referenced to from an A or CNAME or MX
Which is why I said it depends on what is used as the claimed
identifier. If the user's email address is used as the claimed
identifier and I am able to change the user's record from:
example.com TXT ‘OpenID * 10 https://*.example.com/’
to:
example.com TXT ‘OpenID * 10 https://*.myevilsite.com/’
then all the SSL in the world won't help.
If the email address _isn't_ the claimed identifier, then the end user
has to validate that their OP-local identifier (which they don't know)
is displayed correctly by the service provider. This is worse than an
SSL failure, there isn't even a dialog asking them to click OK!
> Not that it matters anyway, since people just click OK.
If a service provider detects an SSL failure, there's no person there
to press okay. Their server will just summarily deny the
authentication request.
The "click OK" problem is only between client-server communication.
This is server-server communication.
--
Trevor Johns
http://tjohns.net
More information about the specs
mailing list