The MITM attack vector resolution is out of scope of OpenID
Authentication as it is a ceremony between the user and the IdP. The
user and IdP need to know they are talking directly to each other.
-- Dick
On 18-Oct-06, at 1:07 PM, Scott Kveton wrote:
It is vulnerable to a man in the middle attack - the RP, instead of
redirecting to the IdP redirects to itself or some other site in
cahoots, then proxies the conversation between the user and the IdP
thereby compromising the users (global) credentials as they pass
through.
Right, we've known about this for quite some time unfortunately
there hasn't
be a particularly easy solution to it and I classify this as one of
those
"The Internet Sucks" problems. I'm not saying we shouldn't/
couldn't do
anything about it I just think the right solution that mixes
ease-of-implementation and user need hasn't been found yet.
There really needs to be user-agent support to avoid that - either
something CardSpace like, or browser plugin that only ever presents a
pre-authenticated user.
I think we're headed in this direction. However, we have to crawl
before we
can walk. At least solving a big chunk of the use cases, getting some
momentum behind the platform and solving a specific problem for users
*today* is better than trying to build the perfect tool. We can
talk and
talk on these lists but we really don't know how users are going to
use this
stuff (or abuse it for that matter) until its out there and working
in the
wild.
I can't emphasize more the fact that with every passing day that we
don't
have OpenID v2.0 out the door, we're losing momentum from fixing
specific
user problems that are solved in the existing specification.
- Scott
_______________________________________________
general mailing list
[EMAIL PROTECTED]
http://openid.net/mailman/listinfo/general
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
