OpenID Email Discovery
Artur Bergman
sky at crucially.net
Fri Jan 4 11:14:04 UTC 2008
On Jan 4, 2008, at 12:07 PM, Trevor Johns wrote:
> On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote:
>
>> Fair or not, I am tired of hearing how un-secure DNS, when
>> everything we do is based on it, and it being the worlds largest
>> working distributed database.
>
> There's a difference between working and secure. For example, email
> works great but it's far from secure.
>
Whatever, this discussion is old and bores me. You can always go out
and use DNSSEC.
>> There is SSL connecting to the provider that is being refereed
>> from the srv/txt field. Which is no different than what you are
>> referenced to from an A or CNAME or MX
>
> Which is why I said it depends on what is used as the claimed
> identifier. If the user's email address is used as the claimed
> identifier and I am able to change the user's record from:
>
> example.com TXT ‘OpenID * 10 https://*.example.com/’
>
> to:
>
> example.com TXT ‘OpenID * 10 https://*.myevilsite.com/’
>
> then all the SSL in the world won't help.
>
> If the email address _isn't_ the claimed identifier, then the end
> user has to validate that their OP-local identifier (which they
> don't know) is displayed correctly by the service provider. This is
> worse than an SSL failure, there isn't even a dialog asking them to
> click OK!
>
>> Not that it matters anyway, since people just click OK.
>
>
> If a service provider detects an SSL failure, there's no person
> there to press okay. Their server will just summarily deny the
> authentication request.
>
> The "click OK" problem is only between client-server communication.
> This is server-server communication.
Isn't this just a lookup of email address -> openid/url that is then
handled as a normal openid login?
Artur
More information about the specs
mailing list