Hi, > > - when things are moving off-topic, please change the subject > > I was not talking about single sign-on, [...]
But not about the original topic either - how hair-splitting. > Read http://en.wikipedia.org/wiki/OpenID#Security_and_phishing . Please read > references too. You ask for information, so read and understand all them. > > That is because a private and encrypted communication channel (VPN) is the > best to avoid this issues. > > With the VPN you avoid man-in-the-middle attacks. There are lot of attacks > paths being the basic one based on the DNS service weakness. I hope do not > have to explain all the security involved knowled because it is a lot to > write. The wikipedia page mentions _phishing_ "man-in-the-middle" as an issue but says nothing about traditional/network man-in-the-middle attacks. I don't think a VPN helps in this case? > Do you know any bank which offer OpenID as authentication mechanism? Realize > a > good analysis please. BNP Paribas considers birth date as a confidential information for their "3D secure" system - they are not best examples. http://www.ecommerce404.fr/2008/09/3d-secure-et-les-differentes-banques/ They are, too, vulnerable to phishing - but who isn't? -- Sylvain
