[Server-devel] OpenID - status?

Martin Langhoff martin.langhoff at gmail.com
Tue Jul 10 07:04:49 EDT 2007


On 7/10/07, Ben Laurie <benl at google.com> wrote:
> The blind trust in the relying party is more of a concern to me:
> http://www.links.org/?p=187.

Good point -- that's even easier than hacking the DNS. A bit of a
spoof IDP site and done. And those "shared secrets" between the IDP
and the user can be proxied through to the user as the IDP cannot know
that the user is legitimate. All I've seen so far are phrases and
images -- both look pretty, and useless.

So we have

 - Blind trust in the relying party
 - DNS weaknesses -- fixed by the PKI in HTTPS -- will the laptops
shipped to a school have loaded the school server's PKs? Or trust a
big OLPC-signing-cert-in-the-sky?
 - A comment in your blog mentions MITM attacks against
Diffie-Helmann. I'm not versed enough in the matter to judge the
actual risk here. Google led me to
http://www.itillious.com/insight/articles/maninmiddle.html

cheers,


martin


More information about the Server-devel mailing list