RPs are required to make outgoing HTTP connections, and should use a 'paranoid http library' to mitigate the issue you speak of.
On Wed, Jul 23, 2008 at 10:33 AM, Egon Kocjan <
egon@...> wrote:
Hello,
I am new to openid, so forgive me if this will sound obvious. Let's say
I have a web site and I want to support openid, so users of my site will
be able login using their openid url. The trouble I see here is that my
web server will have to connect to random IPs on the internet as a part
of authentication process*, am I right? Is there an authentication mode,
where client's browser does all the outgoing communication?
* why this is a problem:
- I don't want my web server to be used in ddos attacks
- companies that are serious about security usually deny unrestricted
outgoing connections from servers, so it's also a deployment issue
Thanks,
Egon
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general@...
http://openid.net/mailman/listinfo/general
