This discussion also assumes that it is not possible to serve signed
discovery documents.
If OpenID decides to support the new discovery mechanisms proposed by
the XRI TC, the path to obtaining a discovery document is irrelevant,
I hadn't been aware it was in the spec (or libraries) yet.
what is relevant is the RP security posture. RPs could:
1. Only accept delegation and signin through secured discovery (which
here means that the recovered discovery documents are signed with
authoritative keys).
2. Accept both types of delegation, but assign to different URLs
different security profiles (depending on how the authentication takes
place) and prevent security level downgrades.
I've thought about giving accounts a user-configurable option for
"don't use non-SSL auth for me". An alternative is withholding
information from non-SSL authenticated logins, but that isn't much of
an alternative because I also want to conceal from attackers exactly
what files are on a user's ACL.
SSL infrastructure. The security is probably also better, because
AFAIK web server defacements are more frequent events than private key
compromises.
So very true! More common than DNS hacks, even :)
-Shade
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
