DNS spoofing and poisoning..
mark at nullcraft.org
Sat May 21 14:40:47 PDT 2005
Brad Fitzpatrick wrote:
>The point of OpenID is to be dead simple, short-comings and all, so it's
>actually adopted. Things like comment-signing, priviledge passing, etc.,
>can all be added on later atop the authentication phase, decided between
>parties that support it, later formalized as some sort of defacto
>extension. (to this defacto "spec") For instance, we'll probably ask
>sites like Flickr that post to LJ by taking LJ user's passwords to give us
>their RSA public key in the auth request, and ask for "atom-post"
>privileges, and we'll encrypt and send back a priviledge token then can
>use for one time or some short period of time to only post to LJ. And
>that's all not part of OpenID... but something we'll layer on later, and
>make available to anybody who wants to use it.
To this point, once the basic OpenId spec is solidified, the doors do
open up quite a bit for adding extentions. I've pondered many of them
already. I suppose it would only complicate matters to be considering
them at this point, though. It would be nice to address the needs of
facilitating such privilege/service exchanges. I am happy, however,
that you're already thinking about "atom-post" privileges and public key
More information about the yadis