Comments on: An insecurity in OpenID, not many dead http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/ Security Research, Computer Laboratory, University of Cambridge Fri, 10 Feb 2012 17:31:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Robin Wilton http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-30015 Robin Wilton Thu, 30 Oct 2008 19:02:09 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-30015 @Tim - I'm sure he has... if only I were as funny ;^) @Richard - it's a bit harsh to suggest that people "shouldn't trust Sun"; don't you mean that they shouldn't trust authentication assertions from Sun's OpenID Provider? (And if the latter.... does that actually change the OpenID trust model...?) @Tim – I’m sure he has… if only I were as funny ;^)

@Richard – it’s a bit harsh to suggest that people “shouldn’t trust Sun”; don’t you mean that they shouldn’t trust authentication assertions from Sun’s OpenID Provider? (And if the latter…. does that actually change the OpenID trust model…?)

]]> By: Tim http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29726 Tim Thu, 14 Aug 2008 15:35:54 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29726 I giggled at the penultimate paragraph. I thought Robin Williams had something funny to say about certificates. I giggled at the penultimate paragraph. I thought Robin Williams had something funny to say about certificates.

]]> By: Eduardo Diaz http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29724 Eduardo Diaz Wed, 13 Aug 2008 22:18:42 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29724 not very funny, because that small earthquake in Chile caused 30.000 death, Chillán, january 24, 1939... not very funny, because that small earthquake in Chile caused 30.000 death, Chillán, january 24, 1939…

]]> By: oregonnerd http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29721 oregonnerd Wed, 13 Aug 2008 06:50:47 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29721 Yeah. I was skeptical to start. I'm either intrinsically paranoid, I assume that planning will always work as poorly as possible (a linear model in a curvilinear environment has interesting implications, and I don't believe in bivalue logic), or I think most people are stupid. Then again, I used a three-value statement behind a two-value intro. --Glenn --Blog is on WordPress which appears to be down. I hope I didn't get spoofed somehow. Yeah. I was skeptical to start. I’m either intrinsically paranoid, I assume that planning will always work as poorly as possible (a linear model in a curvilinear environment has interesting implications, and I don’t believe in bivalue logic), or I think most people are stupid. Then again, I used a three-value statement behind a two-value intro.
–Glenn
–Blog is on WordPress which appears to be down. I hope I didn’t get spoofed somehow.

]]> By: Richard Clayton http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29712 Richard Clayton Sat, 09 Aug 2008 15:32:43 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29712 @Paul You're right that the attack wasn't preventable: OpenID relies on certificate integrity and this failed. However, without universal use of CRLs you can't stop people continuing to rely on the certs until they expire -- and CRLs are not widely enough used. @Bernard Credentica does have a blacklisting scheme that doesn't depend on CRLs. But I would not have characterised this as the main justification for (or feature of) the technology! @Paul You’re right that the attack wasn’t preventable: OpenID relies on certificate integrity and this failed. However, without universal use of CRLs you can’t stop people continuing to rely on the certs until they expire — and CRLs are not widely enough used.

@Bernard Credentica does have a blacklisting scheme that doesn’t depend on CRLs. But I would not have characterised this as the main justification for (or feature of) the technology!

]]> By: bernard lunn http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29711 bernard lunn Sat, 09 Aug 2008 12:09:15 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29711 is this the problem that Credentica aims to solve? is this the problem that Credentica aims to solve?

]]> By: Paul Crowley http://www.lightbluetouchpaper.org/2008/08/09/an-insecurity-in-openid-not-many-dead/comment-page-1/#comment-29710 Paul Crowley Sat, 09 Aug 2008 11:11:14 +0000 http://www.lightbluetouchpaper.org/?p=352#comment-29710 I'm not sure there's anything we could or should have done in OpenID that would have prevented such an attack. The two mechanisms that OpenID uses to verify the identity of a provider (connecting to it in the first place and, optionally, SSL) have been defeated in two separate attacks; what else could we have stood on? I’m not sure there’s anything we could or should have done in OpenID that would have prevented such an attack. The two mechanisms that OpenID uses to verify the identity of a provider (connecting to it in the first place and, optionally, SSL) have been defeated in two separate attacks; what else could we have stood on?

]]>