when I use OpenID on a wireless network in a coffee shop, it's fairly easy for an attacker to interfere with my connection to an HTTP OP,
I'm not too worried about that, I can always just spit out an error message instead of redirecting users.
but it's much harder for that attacker to interfere with the backend communication between the RP and the server that hosts my URI
This is the area where I'm trying to move past "reasonable security" to "maximum security" :)
All the security in the world on an OP doesn't do any good at all if the attacker can get DNS to say "Oh, that URI is actually over here; and the page has new delegation headers, by the way."
(To clarify, I'm fine with URI's that have SSL delegating to OP's that also have SSL, since SSL-all-the-way wouldn't be vulnerable to the same attack here - it's when users insist on an unprotected URI that I'd want to insist upon warning them rather than blithely accepting *and validating* their illusions of security. This does disturb me, though, because of how it generally restricts URI's to personal domains and dedicated IDP's that can afford SSL for pages - I went to a Geocities homepage and went to https, no response.)
-Shade _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
