On Fri, Aug 8, 2008 at 12:44 PM, Eddy Nigg (StartCom Ltd.) <eddy_nigg@xxxxxxxxxxxx> wrote: > This affects any web site and service provider of various natures. It's not > exclusive for OpenID nor for any other protocol / standard / service! It may > affect an OpenID provider if it uses a compromised key in combination with > unpatched DNS servers. I don't understand why OpenID is singled out, since > it can potentially affect any web site including Google's various services > (if Google would have used Debian systems to create their private keys). OpenID is "singled out" because I am not talking about a potential problem but an actual problem. We have spotted other actual problems in other services. Details will be forthcoming at appropriate times.
