[mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie
More importantly, I think I have a solution that will make
both of us happy, but I now have to go and ride my motorbike
fast, so I'll detail it later.
Now there is an exit line to tempt the Gods.
The only way that I can see that you are
On 1/22/07, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote:
[mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie
More importantly, I think I have a solution that will make
both of us happy, but I now have to go and ride my motorbike
fast, so I'll detail it later.
Now there is an exit line
On 1/22/07, Stephane Bortzmeyer [EMAIL PROTECTED] wrote:
On Mon, Jan 22, 2007 at 03:36:44PM +,
Ben Laurie [EMAIL PROTECTED] wrote
a message of 28 lines which said:
The only way that I can see that you are going to circumvent an
attempt using existing browser capabilities is to
On 1/22/07, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote:
From: Ben Laurie [mailto:[EMAIL PROTECTED]
The only way that I can see that you are going to
circumvent an attempt using existing browser capabilities is
to introduce a malicious login page is through use of some
form of
On 1/22/07, Ben Laurie [EMAIL PROTECTED] wrote:
On 1/22/07, Ben Laurie [EMAIL PROTECTED] wrote:
OK, the idea is pretty simple. Rather like the OpenID Authentication
Security Profiles you have a profile where the RP states what kind of
End User/OP authentication is acceptable to it.
On 21-Jan-07, at 4:48 PM, James McGovern wrote:
Several questions after reading the 2.0 spec - draft 11.
1. The definition of realm if I am reading it correctly could be
problematic
in large enterprises. For example, if one were using a web access
management
product, they would have
Hallam-Baker, Phillip
If you change the browser you might as well really
change the browser and use a strong authentication
mechanism based on PKI
Ben Laurie
I'm sure you meant to say based on asymmetric
cryptography.
Hallam-Baker, Phillip
No, any time you have a trusted key
What about a non-normative link from the spec to a place on the wiki
where we can collect security considerations for it, and update those
in real-time as discussions such as the phishing one progress.
___
specs mailing list
specs@openid.net
So I've been doing some asking around who might be interested in co-
authoring some kind of white paper on the subject of user-centric
identity in/for the enterprise. There are some volunteers with a
variety of view points -- no guarantees that we'll manage to produce
something
On Mon, Jan 22, 2007 at 04:53:11PM +,
Ben Laurie [EMAIL PROTECTED] wrote
a message of 21 lines which said:
Why not? The man in the middle sees what you would see, surely?
OK, sorry, I replied too fast. I was replying in the context of a
phishing attempt by a rogue RP redirecting to a
On 1/22/07, Ben Laurie [EMAIL PROTECTED] wrote:
On 1/22/07, Josh Hoyt [EMAIL PROTECTED] wrote:
On 1/22/07, Ben Laurie [EMAIL PROTECTED] wrote:
On 1/22/07, Ben Laurie [EMAIL PROTECTED] wrote:
OK, the idea is pretty simple. Rather like the OpenID Authentication
Security Profiles you
This is getting a little insane - many of us are subscribed to the four
lists that this thread has been posted to.
One person has suggested that we actually consolidate the separate lists
given the overlap in membership and topics (at least the openid lists). The
other option is to be more
I'd have to agree. I realize I am guilty for the start of this thread
announcing the new spec draft, though am hoping we can move this discussion to
[EMAIL PROTECTED] if that works for people.
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
SSL achieves the original security goals set for it.
SSL does not achieve every security goal, that is not a failure. Certainly
there are no grounds for the claim PKI has failed when it has succeeded in its
original limited goals.
I agree that the original goals were too narrow. That is an
On Mon, 22 Jan 2007, Hallam-Baker, Phillip wrote:
On the contrary, PKI is the basis of the security infrastructure
that so far has provided the greatest defense against Internet crime - SSL.
Judged by any rational set of standards SSL has been the most
successful security protocol of all
2007/1/22, Ben Laurie [EMAIL PROTECTED]:
Actually, it appears to allow the RP to tell the OP what kind of
authentication was used, which is backwards.
It also seems to be rather lacking in meat. Still, a step in the right
direction.
I asked this question some time ago: is there any
On 19 Jan 2007, at 15:06, Scott Kveton wrote:
What if the OP cataloged where you just came from and then
presented the
screen that you mention? The user is asked to navigate via a
bookmark or
entering the URL in the location bar and then upon logging in is
presented
with a link
On 19 Jan 2007, at 14:19, Ben Laurie wrote:
Still totally unhappy about the phishing issues, which I blogged
about here:
http://www.links.org/?p=187
I have a proposal which I think could greatly reduce the risk of
phishing: identity providers should /never/ display their login form
18 matches
Mail list logo
