Fwd: Why URL?
alangley at gmail.com
Fri Aug 19 02:21:44 PDT 2005
On 8/19/05, Alexey Khmara <wolf_stranger at mail.ru> wrote:
> So, conclusion - if you want to be safe with OpenID - use your own
> domain as your identity. You may use own or third-party identity server,
> and it's safe. Please, correct me, if it's wrong.
It's wrong. Take openid.imperialviolet.org. People trust that server
when they put a link to it in the <head> of their page. Once they have
done that the person who controls that server (who happens to be me*)
can impersonate them.
Of course they can change their page to another identity server
(revoke the trust) but while you are using an identity server you are
trusting it not to be bad.
(* don't worry peeps - you are all far too boring to be worth my time
to do anything like that ;)
Adam Langley agl at imperialviolet.org
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60
More information about the yadis