[Server-devel] OpenID - status?
ivan at laptop.org
Tue Jul 10 10:32:46 EDT 2007
On Jul 10, 2007, at 9:37 AM, C. Scott Ananian wrote:
> As I understand the BitFrost specification, OpenID is only used to
> extend the local authentication mechanisms (XO-to-school server) to
> the outside world (Google backups, etc).
> The actual authentication of XOs and users is done by us outside
> OpenID. So the DNS weakness and MiM attacks are only valid outside
> our scope.
That's correct. OpenID, in a vacuum, is a fine mechanism. It's the
way people are doing authentication to their OpenID IDPs on the wider
Internet that's problematic and dangerous; we can generally avoid the
issues entirely by authenticating transparently to the school server
in the background.
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the Server-devel