Fwd: Why URL?
wolf_stranger at mail.ru
Fri Aug 19 09:15:03 PDT 2005
Adam Langley wrote:
> On 8/19/05, Alexey Khmara <wolf_stranger at mail.ru> wrote:
>>So, conclusion - if you want to be safe with OpenID - use your own
>>domain as your identity. You may use own or third-party identity server,
>>and it's safe. Please, correct me, if it's wrong.
> It's wrong. Take openid.imperialviolet.org. People trust that server
> when they put a link to it in the <head> of their page. Once they have
> done that the person who controls that server (who happens to be me*)
> can impersonate them.
Yes, I understand this. But with PGP people also must trust the identity
server. But if server is bad, user cannot revoke his key. With OpenID
user can just change one line - and bad server cannot harm anymore.
More information about the yadis