[Server-devel] OpenID - status?

Ben Laurie benl at google.com
Tue Jul 10 07:17:49 EDT 2007


On 7/10/07, Martin Langhoff <martin.langhoff at gmail.com> wrote:
> On 7/10/07, Ben Laurie <benl at google.com> wrote:
> > The blind trust in the relying party is more of a concern to me:
> > http://www.links.org/?p=187.
>
> Good point -- that's even easier than hacking the DNS. A bit of a
> spoof IDP site and done. And those "shared secrets" between the IDP
> and the user can be proxied through to the user as the IDP cannot know
> that the user is legitimate. All I've seen so far are phrases and
> images -- both look pretty, and useless.
>
> So we have
>
>  - Blind trust in the relying party
>  - DNS weaknesses -- fixed by the PKI in HTTPS -- will the laptops
> shipped to a school have loaded the school server's PKs? Or trust a
> big OLPC-signing-cert-in-the-sky?
>  - A comment in your blog mentions MITM attacks against
> Diffie-Helmann. I'm not versed enough in the matter to judge the
> actual risk here. Google led me to
> http://www.itillious.com/insight/articles/maninmiddle.html

So, D-H is trivially MitMable. AFAIK, all known defences are patented, sadly.

>
> cheers,
>
>
> martin
>


More information about the Server-devel mailing list