Is the final domain of the IP (what would an "OP" be?) something that is exposed by your libraries? I ask because it's quite possible that a user has a delegate set up at their address to point to an IP that I've whitelisted, but that can't be determined until some redirections were followed.
On 2/20/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > On 2/20/07, Phil Kulak <[EMAIL PROTECTED]> wrote: > > Whitelisting would be an option, but I'm not sure I like it. The most > > secure identity provider can be the one hosted on your own box, so it > > seems a little odd that those are the ones I wouldn't allow. Do you > > mean that I could set up some kind of click-through and have it show > > up only if the user's IP is not on the whitelist? That could be an > > option. > > I was suggesting that you whitelist OpenID providers, and show the > click-through if the user has an OP that is not on the whitelist, > since you don't know anything about that provider. > > It won't be very common that an OP can be hosted on a person's own > computer, since an OP needs to be reachable by the relying party (for > association or check_authentication) and most people's computers are > behind a firewall or at least don't have static IPs. > > Josh > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
