Who said anything about setting up a fake OP? I'm talking about putting a
proxy in front of either the RP or the OP (exactly the situation that applies
when modifying the direct verfication).
The proxy has to work only slightly harder, by modifying "associate"
request/responses (directly between RP and OP) and assertions delivered from
the OP to the RP by way of the browser.
Please read the security section of the spec again. The protocol relies on DNS
and the security of the transport. That's it. That's what makes it easy to
deploy.
Terry
-----Original Message-----
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [email protected]
Sent: Wed, 14 Feb 2007 9:54 AM
Subject: Re: [security] MITM attacks on OpenID direct verification and
association
[EMAIL PROTECTED] wrote:
> In short, associations are useful for reducing the cost of verifying
> assertions by allowing the verification to be performed by the RP.
> However they do not add to the resistance to MITM attacks.
So you found it as easy to set up a fake OP as it is to proxy-change
a DV 'no' to 'yes' down-stream?
I bet you didn't. And that complexity difference is the added
resistance.
-Hans
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
________________________________________________________________________
Check out the new AOL. Most comprehensive set of free safety and security
tools, free access to millions of high-quality videos from across the web, free
AOL Mail and more.
_______________________________________________
security mailing list
[email protected]
http://openid.net/mailman/listinfo/security
