incubator-heraldry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Laurie" <b...@google.com>
Subject Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor'sDraft 11
Date Mon, 22 Jan 2007 15:36:44 GMT
On 1/22/07, Hallam-Baker, Phillip <pbaker@verisign.com> wrote:
>
> > [mailto:specs-bounces@openid.net] On Behalf Of Ben Laurie
>
> > More importantly, I think I have a solution that will make
> > both of us happy, but I now have to go and ride my motorbike
> > fast, so I'll detail it later.
>
> Now there is an exit line to tempt the Gods.
>
>
> The only way that I can see that you are going to circumvent an attempt using existing
browser capabilities is to introduce a malicious login page is through use of some form of
shared secret such as a picture of a cuddly animal chosen by the user or Secure Letterhead.

How is this kind of shared secret a defence against a MitM?

> Letterhead requires a browser upgrade so it breaks the 'existing capabilities' constraint.
>
> If you change the browser you might as well really change the browser and use a strong
authentication mechanism based on PKI

I'm sure you meant to say "based on asymmetric cryptography".

> I think we need to take another look at the 'change the browser' case and make sure that
we can take full advantage if the browser is changed.

Damn straight.

Mime
View raw message