Just passing through, between one relay and another:
Thought experiment: Would you be satisfied if xauth were baked into
Chromium (hosted at <http://www.chromium.org>www.chromium.org)? If
so, would it be sufficient to CNAME <http://xauth.org>xauth.org to
<http://www.chromium.org>www.chromium.org and serve up JS from
there, signed with the Chromium.org private key?
Assume that ALL requests are protected with SSL, so that the contents
of communications cannot be spied upon. An eavesdropper can STILL
figure out when a user is logging in with OpenID (and, with attention
to timing, WHICH sites they are logged in to!) by looking for
requests to the IP address of the central server.
What do we expect them to do in defense of this attack, route all
their communications through random public proxies?
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
