Likewise, the protocol can be defined as weak where someone may
apply additive security on top of it. Kinda like doing SMTP over TLS
and/or S/MIME.
Is that what Ben Laurie meant in the footnote?
http://openid.net/pipermail/security/2008-August/000404.html
A given implementation of OpenID *might* contain DNS-level security,
MultiAuth, good CRL's, etcetera; but because the spec doesn't
*demand* it, obviously it's the *OpenID* protocol that is weak.
Obviously. It's noone's fault that *DNS* isn't secure; it's only the
fault of anyone that tries to *use* DNS for any secure purposes.
</sarcasm>
-Shade
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs