A few thoughts

Martin Atkins mart at degeneration.co.uk
Thu Jun 2 03:07:23 PDT 2005

Benjamin Yu wrote:
> 3. Is openid's answer to dns poisoning dns sec? 
> One issue right now is that dns sec is, currently, not
> widely deployed. OpenId makes great assumption with the
> domain names, and it could have wide implications for
> logging into systems that have financial data on the line.

In order to perform a DNS poisoning attack, the attacker would need to 
misdirect both the user-agent and the consumer, since both need to fetch 
items from the same identity server for the transaction to succeeed. 
While misdirecting a user-agent wouldn't be too hard, it's less likely 
that a consumer could be fooled, and even less likely that both parties 
could be simultaneously fooled.

Having said all that, I don't think anyone really considers OpenID 
suitable for applications like logging in to your bank. That's the kind 
of problem that full PKI will hopefully solve one day, while OpenID has 
a much more modest set of target problems.

More information about the yadis mailing list