On 8 Jun 2010, at 21:45, SitG Admin wrote: > Just passing through, between one relay and another: > >> Thought experiment: Would you be satisfied if xauth were baked into >> Chromium (hosted at <http://www.chromium.org>www.chromium.org)? If so, >> would it be sufficient to CNAME <http://xauth.org>xauth.org to >> <http://www.chromium.org>www.chromium.org and serve up JS from there, signed >> with the Chromium.org private key? > > Assume that ALL requests are protected with SSL, so that the contents of > communications cannot be spied upon. An eavesdropper can STILL figure out > when a user is logging in with OpenID (and, with attention to timing, WHICH > sites they are logged in to!) by looking for requests to the IP address of > the central server.
The interesting thing is that with http://esw.w3.org/Foaf+ssl there are only three machines needed, and this could be reduced to 2 (see the diagram on the wiki) 1. The machine hosting the client 2. The service one is logging into 3. The personal profile hosting service At the limit one could place 1 and 3 on the same machine (your cell phone could host your profile) meaning that foaf+ssl need rely on no more machines than the client and the server. Ie: two parties want to talk: only two need to know about it. > > What do we expect them to do in defense of this attack, route all their > communications through random public proxies? Even though foaf+ssl won't solve the most paranoid problems (out of the box) does this help? Henry > -Shade_______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
