Fwd: Why URL?

Adam Langley alangley at gmail.com
Fri Aug 19 02:21:44 PDT 2005

On 8/19/05, Alexey Khmara <wolf_stranger at mail.ru> wrote:
> So, conclusion - if you want to be safe with OpenID - use your own
> domain as your identity. You may use own or third-party identity server,
> and it's safe. Please, correct me, if it's wrong.

It's wrong. Take openid.imperialviolet.org. People trust that server
when they put a link to it in the <head> of their page. Once they have
done that the person who controls that server (who happens to be me*)
can impersonate them.

Of course they can change their page to another identity server
(revoke the trust) but while you are using an identity server you are
trusting it not to be bad.

(* don't worry peeps - you are all far too boring to be worth my time
to do anything like that ;)


Adam Langley                                      agl at imperialviolet.org
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60

More information about the yadis mailing list