OpenID Email Discovery

Hallam-Baker, Phillip pbaker at verisign.com
Fri Jan 4 20:21:17 UTC 2008 

On the contrary, you require the SSL certificate to match the domain of the identifier being authenticated and the problem is solved.

Alternatively you use a scheme such as SAML to perform the authentication which would provide more flexibility than a transport layer security model.

One reason I strongly prefer the email identifier approach is precisely because it maps so much better to PKI. 

> -----Original Message-----
> From: specs-bounces at openid.net 
> [mailto:specs-bounces at openid.net] On Behalf Of Trevor Johns
> Sent: Friday, January 04, 2008 6:08 AM
> To: Artur Bergman
> Cc: 'OpenID specs list'
> Subject: Re: OpenID Email Discovery
> 
> On Jan 4, 2008, at 1:59 AM, Artur Bergman wrote:
> 
> > Fair or not, I am tired of hearing how un-secure DNS, when 
> everything 
> > we do is based on it, and it being the worlds largest working 
> > distributed database.
> 
> There's a difference between working and secure. For example, 
> email works great but it's far from secure.
> 
> > There is SSL connecting to the provider that is being refereed from 
> > the srv/txt field. Which is no different than what you are 
> referenced 
> > to from an A or CNAME or MX
> 
> Which is why I said it depends on what is used as the claimed 
> identifier. If the user's email address is used as the 
> claimed identifier and I am able to change the user's record from:
> 
> 	example.com   TXT   ‘OpenID * 10 https://*.example.com/’
> 
> to:
> 
> 	example.com   TXT   ‘OpenID * 10 https://*.myevilsite.com/’
> 
> then all the SSL in the world won't help.
> 
> If the email address _isn't_ the claimed identifier, then the 
> end user has to validate that their OP-local identifier 
> (which they don't know) is displayed correctly by the service 
> provider. This is worse than an SSL failure, there isn't even 
> a dialog asking them to click OK!
> 
> > Not that it matters anyway, since people just click OK.
> 
> 
> If a service provider detects an SSL failure, there's no 
> person there to press okay. Their server will just summarily 
> deny the authentication request.
> 
> The "click OK" problem is only between client-server communication.  
> This is server-server communication.
> 
> --
> Trevor Johns
> http://tjohns.net
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>

More information about the specs mailing list