Compare message passing diagrams and you'll realize it's just a
semantic difference.
I've been rethinking this, yes. Users still don't have a presence in
the chain; this is just cutting out middlemen. Tossing in more
middlemen to make up for leaving out an endpoint is a decent stop-gap
measure, but doesn't substitute in the long run (and for solid
mechanisms).
It's nice "when people follow the rules": grand, but useless to
protect against malicious OP's.
Are you describing a security vulnerability? What rules must be
violated for malicious OPs to cause damage?
They pretend to be the user: only the SSL endpoint (at your OP) needs
to be cached, so it can suddenly switch to giving out a *new* profile
URL, one which *does* point back at the OP, and masquerade as you.
(RP's should be paying attention to the HTTP data, as well, if there
is any; not using it for authentication, sure, but if they look and
it doesn't report the same OP anymore, maybe the user has changed
their mind for some reason?)
Yes, and it damn well should. Self signed certificates provide no
form of authentication, just encryption. OpenID doesn't need the
encryption, it needs the authentication.
Encryption is handled in-band by OAuth; got that. It's the mandatory
"identifiers over SSL", combined with browsers that warn users "don't
do this", that I'm commenting on here. It's not a stop sign, just a
warning thought - if we make it mandatory *in the spec* for users to
receive those warnings, we have to be careful that we're not relying
on being able to convince users to *ignore* those warnings (almost
certainly a bad idea, since anything we can try that *works* would
then be used by a less benevolent crowd).
But until we have some other form of authn PKI to bootstrap from,
you will eat X509 certs with a verifiable chain of authority to a
known trust root and you will like it. Just like the rest of us.
I removed all my nssckbi.dll modules from all my Portable Firefox
instances over a month ago; Web of Trust helps too, as does checking
a site's cert through multiple Tor exit nodes located around the
world (MitM *that*), and none of this is even *new*:
https://blog.torproject.org/blog/life-without-ca
What's *old* is checking the certs (and their chains, to the "trusted
roots", *manually* . . . I used to be *so* inefficient when it came
to this ;D
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
