On Sun, May 16, 2010 at 2:46 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Compare message passing diagrams and you'll realize it's just a semantic difference.<br>
</blockquote>
<br></div>
I've been rethinking this, yes. Users still don't have a presence in the chain; this is just cutting out middlemen. Tossing in more middlemen to make up for leaving out an endpoint is a decent stop-gap measure, but doesn't substitute in the long run (and for solid mechanisms).<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
It's nice "when people follow the rules": grand, but useless to protect against malicious OP's.<br>
</blockquote>
<br>
Are you describing a security vulnerability? What rules must be violated for malicious OPs to cause damage?<br>
</blockquote>
<br></div>
They pretend to be the user: only the SSL endpoint (at your OP) needs to be cached, so it can suddenly switch to giving out a *new* profile URL, one which *does* point back at the OP, and masquerade as you. (RP's should be paying attention to the HTTP data, as well, if there is any; not using it for authentication, sure, but if they look and it doesn't report the same OP anymore, maybe the user has changed their mind for some reason?)</blockquote>
<div><br></div><div>The malicious server could only compromise user identifiers which point to it. Obviously if the person controlling the malicious server also controls the domain itself then they could make every URI on the domain point to it.</div>
<div><br></div><div>Don't use a server you don't trust. This is no different than email, I trust Google not to read my email and click on reset password links I receive.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Yes, and it damn well should. Self signed certificates provide no form of authentication, just encryption. OpenID doesn't need the encryption, it needs the authentication.<br>
</blockquote>
<br></div>
Encryption is handled in-band by OAuth; got that. It's the mandatory "identifiers over SSL", combined with browsers that warn users "don't do this", that I'm commenting on here. It's not a stop sign, just a warning thought - if we make it mandatory *in the spec* for users to receive those warnings, we have to be careful that we're not relying on being able to convince users to *ignore* those warnings (almost certainly a bad idea, since anything we can try that *works* would then be used by a less benevolent crowd).<div class="im">
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
But until we have some other form of authn PKI to bootstrap from, you will eat X509 certs with a verifiable chain of authority to a known trust root and you will like it. Just like the rest of us.<br>
</blockquote>
<br></div>
I removed all my nssckbi.dll modules from all my Portable Firefox instances over a month ago; Web of Trust helps too, as does checking a site's cert through multiple Tor exit nodes located around the world (MitM *that*), and none of this is even *new*:<br>
<a href="https://blog.torproject.org/blog/life-without-ca" target="_blank">https://blog.torproject.org/blog/life-without-ca</a><br>
What's *old* is checking the certs (and their chains, to the "trusted roots", *manually* . . . I used to be *so* inefficient when it came to this ;D<br>
<br>
-Shade<div><div></div><div class="h5"><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net" target="_blank">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br>