On Sun, May 16, 2010 at 2:46 PM, SitG Admin <[email protected] > wrote:
> Compare message passing diagrams and you'll realize it's just a semantic >> difference. >> > > I've been rethinking this, yes. Users still don't have a presence in the > chain; this is just cutting out middlemen. Tossing in more middlemen to make > up for leaving out an endpoint is a decent stop-gap measure, but doesn't > substitute in the long run (and for solid mechanisms). > > > It's nice "when people follow the rules": grand, but useless to protect >>> against malicious OP's. >>> >> >> Are you describing a security vulnerability? What rules must be violated >> for malicious OPs to cause damage? >> > > They pretend to be the user: only the SSL endpoint (at your OP) needs to be > cached, so it can suddenly switch to giving out a *new* profile URL, one > which *does* point back at the OP, and masquerade as you. (RP's should be > paying attention to the HTTP data, as well, if there is any; not using it > for authentication, sure, but if they look and it doesn't report the same OP > anymore, maybe the user has changed their mind for some reason?) The malicious server could only compromise user identifiers which point to it. Obviously if the person controlling the malicious server also controls the domain itself then they could make every URI on the domain point to it. Don't use a server you don't trust. This is no different than email, I trust Google not to read my email and click on reset password links I receive. > Yes, and it damn well should. Self signed certificates provide no form of >> authentication, just encryption. OpenID doesn't need the encryption, it >> needs the authentication. >> > > Encryption is handled in-band by OAuth; got that. It's the mandatory > "identifiers over SSL", combined with browsers that warn users "don't do > this", that I'm commenting on here. It's not a stop sign, just a warning > thought - if we make it mandatory *in the spec* for users to receive those > warnings, we have to be careful that we're not relying on being able to > convince users to *ignore* those warnings (almost certainly a bad idea, > since anything we can try that *works* would then be used by a less > benevolent crowd). > > > But until we have some other form of authn PKI to bootstrap from, you will >> eat X509 certs with a verifiable chain of authority to a known trust root >> and you will like it. Just like the rest of us. >> > > I removed all my nssckbi.dll modules from all my Portable Firefox instances > over a month ago; Web of Trust helps too, as does checking a site's cert > through multiple Tor exit nodes located around the world (MitM *that*), and > none of this is even *new*: > https://blog.torproject.org/blog/life-without-ca > What's *old* is checking the certs (and their chains, to the "trusted > roots", *manually* . . . I used to be *so* inefficient when it came to this > ;D > > -Shade > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
