My question was a little different than your response. I understand that Client
Certificates can be used in addition to, but I was asking about documenting
scenarios in blog entries where it could be used instead of. For example, if
the Pharma SAFE
(http://www.cybertrust.com/pr_events/press_rel
On 19 Jan 2007, at 14:19, Ben Laurie wrote:
> Still totally unhappy about the phishing issues, which I blogged
> about here:
>
> http://www.links.org/?p=187
I have a proposal which I think could greatly reduce the risk of
phishing: identity providers should /never/ display their login form
On 19 Jan 2007, at 15:06, Scott Kveton wrote:
> What if the OP cataloged where you just came from and then
> presented the
> screen that you mention? The user is asked to navigate via a
> bookmark or
> entering the URL in the location bar and then upon logging in is
> presented
> with a li
2007/1/22, Ben Laurie <[EMAIL PROTECTED]>:
> Actually, it appears to allow the RP to tell the OP what kind of
> authentication was used, which is backwards.
>
> It also seems to be rather lacking in meat. Still, a step in the right
> direction.
>
I asked this question some time ago: is there any p
On Mon, 22 Jan 2007, Hallam-Baker, Phillip wrote:
> On the contrary, PKI is the basis of the security infrastructure
> that so far has provided the greatest defense against Internet crime - SSL.
>
> Judged by any rational set of standards SSL has been the most
> successful security protocol of all
On Mon, Jan 22, 2007 at 04:53:11PM +,
Ben Laurie <[EMAIL PROTECTED]> wrote
a message of 21 lines which said:
> Why not? The man in the middle sees what you would see, surely?
OK, sorry, I replied too fast. I was replying in the context of a
phishing attempt by a rogue RP redirecting to a p
SSL achieves the original security goals set for it.
SSL does not achieve every security goal, that is not a failure. Certainly
there are no grounds for the claim PKI has failed when it has succeeded in its
original limited goals.
I agree that the original goals were too narrow. That is an argu
So I've been doing some asking around who might be interested in co-
authoring some kind of white paper on the subject of user-centric
identity in/for the enterprise. There are some volunteers with a
variety of view points -- no guarantees that we'll manage to produce
something collaborative
What about a non-normative link from the spec to a place on the wiki
where we can collect security considerations for it, and update those
in real-time as discussions such as the phishing one progress.
___
specs mailing list
specs@openid.net
http:/
On the contrary, PKI is the basis of the security infrastructure that so far
has provided the greatest defense against Internet crime - SSL.
Judged by any rational set of standards SSL has been the most successful
security protocol of all time. The costs of the PKI infrastructure are
negligible
I'd have to agree. I realize I am guilty for the start of this thread
announcing the new spec draft, though am hoping we can move this discussion to
[EMAIL PROTECTED] if that works for people.
--David
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ga
This is getting a little insane - many of us are subscribed to the four
lists that this thread has been posted to.
One person has suggested that we actually consolidate the separate lists
given the overlap in membership and topics (at least the openid lists). The
other option is to be more discip
Client certificates could easily be used to extend openID, and since (last
time I checked) the authentication process was entirely up to the IdP, a
client certificate based IdP should be open to be created.
Most CAs have created a problem because they only allow a user to use their
certs (mostly
On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote:
> > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > >
Hallam-Baker, Phillip
> > > If you change the browser you might as well really
> > > change the browser and use a strong authentication
> > > mechanism based on PKI
Ben Laurie
> > I'm sure you meant to say "based on asymmetric
> > cryptography".
Hallam-Baker, Phillip
> No, any time you have
On 21-Jan-07, at 4:48 PM, James McGovern wrote:
> Several questions after reading the 2.0 spec - draft 11.
>
> 1. The definition of realm if I am reading it correctly could be
> problematic
> in large enterprises. For example, if one were using a web access
> management
> product, they would
On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote:
> On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > > Security Profiles" you have a profile where the RP state
On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > > Security Profiles" you have a profile where the RP states what kind of
> > > End User/OP authentication is accept
On 1/22/07, Hallam-Baker, Phillip <[EMAIL PROTECTED]> wrote:
>
> > From: Ben Laurie [mailto:[EMAIL PROTECTED]
>
> > > The only way that I can see that you are going to
> > circumvent an attempt using existing browser capabilities is
> > to introduce a malicious login page is through use of some
> >
On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote:
> Ben,
>
> On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> > OK, the idea is pretty simple. Rather like the "OpenID Authentication
> > Security Profiles" you have a profile where the RP states what kind of
> > End User/OP authentication is accept
Ben,
On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> OK, the idea is pretty simple. Rather like the "OpenID Authentication
> Security Profiles" you have a profile where the RP states what kind of
> End User/OP authentication is acceptable to it. Sites with low/zero
> value attached to the logi
> From: Ben Laurie [mailto:[EMAIL PROTECTED]
> > The only way that I can see that you are going to
> circumvent an attempt using existing browser capabilities is
> to introduce a malicious login page is through use of some
> form of shared secret such as a picture of a cuddly animal
> chosen
Last week I sent a note to the list inquiring whether anyone on this list
wanted to participate in our industry vertical standards body in hopes of
ratifying OpenID as an endorsed horizontal specification. In terms of
preparation, it would be greatly appreciated if Dick Hardt, Johannes Ernst and
On 1/22/07, Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote:
> On Mon, Jan 22, 2007 at 03:36:44PM +,
> Ben Laurie <[EMAIL PROTECTED]> wrote
> a message of 28 lines which said:
>
> > > The only way that I can see that you are going to circumvent an
> > > attempt using existing browser capabiliti
On Mon, Jan 22, 2007 at 03:36:44PM +,
Ben Laurie <[EMAIL PROTECTED]> wrote
a message of 28 lines which said:
> > The only way that I can see that you are going to circumvent an
> > attempt using existing browser capabilities is to introduce a
> > malicious login page is through use of some
On 1/22/07, Hallam-Baker, Phillip <[EMAIL PROTECTED]> wrote:
>
> > [mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie
>
> > More importantly, I think I have a solution that will make
> > both of us happy, but I now have to go and ride my motorbike
> > fast, so I'll detail it later.
>
> Now there is
> [mailto:[EMAIL PROTECTED] On Behalf Of Ben Laurie
> More importantly, I think I have a solution that will make
> both of us happy, but I now have to go and ride my motorbike
> fast, so I'll detail it later.
Now there is an exit line to tempt the Gods.
The only way that I can see that you
On 1/21/07, Ben Laurie <[EMAIL PROTECTED]> wrote:
> On 1/19/07, Dick Hardt <[EMAIL PROTECTED]> wrote:
> >
> > On 19-Jan-07, at 6:19 AM, Ben Laurie wrote:
> >
> > >
> > > Still totally unhappy about the phishing issues, which I blogged
> > > about here:
> > >
> > > http://www.links.org/?p=187
> >
>
28 matches
Mail list logo