[Server-devel] OpenID - status?

Ivan Krstić ivan at laptop.org
Tue Jul 10 10:32:46 EDT 2007

On Jul 10, 2007, at 9:37 AM, C. Scott Ananian wrote:
> As I understand the BitFrost specification, OpenID is only used to
> extend the local authentication mechanisms (XO-to-school server) to
> the outside world (Google backups, etc).
> The actual authentication of XOs and users is done by us outside
> OpenID.  So the DNS weakness and MiM attacks are only valid outside
> our scope.

That's correct. OpenID, in a vacuum, is a fine mechanism. It's the  
way people are doing authentication to their OpenID IDPs on the wider  
Internet that's problematic and dangerous; we can generally avoid the  
issues entirely by authenticating transparently to the school server  
in the background.

Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org

More information about the Server-devel mailing list