A few thoughts
mart at degeneration.co.uk
Thu Jun 2 03:07:23 PDT 2005
Benjamin Yu wrote:
> 3. Is openid's answer to dns poisoning dns sec?
> One issue right now is that dns sec is, currently, not
> widely deployed. OpenId makes great assumption with the
> domain names, and it could have wide implications for
> logging into systems that have financial data on the line.
In order to perform a DNS poisoning attack, the attacker would need to
misdirect both the user-agent and the consumer, since both need to fetch
items from the same identity server for the transaction to succeeed.
While misdirecting a user-agent wouldn't be too hard, it's less likely
that a consumer could be fooled, and even less likely that both parties
could be simultaneously fooled.
Having said all that, I don't think anyone really considers OpenID
suitable for applications like logging in to your bank. That's the kind
of problem that full PKI will hopefully solve one day, while OpenID has
a much more modest set of target problems.
More information about the yadis