Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Chris Drake <christopher@pobox.com> Thu, 19 October 2006 16:35 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gaarg-0004M0-MW; Thu, 19 Oct 2006 12:35:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gaarf-0004Do-AK for dix@ietf.org; Thu, 19 Oct 2006 12:35:27 -0400
Received: from copa.geek.net.au ([203.217.18.13] helo=srve.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaarZ-0004CR-Je for dix@ietf.org; Thu, 19 Oct 2006 12:35:27 -0400
Received: from BLANK (203-217-18-9.perm.iinet.net.au [203.217.18.9]) by srve.com (8.13.6/8.12.11) with ESMTP id k9JGZFuX005164 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 19 Oct 2006 16:35:15 GMT
Date: Fri, 20 Oct 2006 02:35:24 +1000
From: Chris Drake <christopher@pobox.com>
X-Priority: 3 (Normal)
Message-ID: <1441909800.20061020023524@pobox.com>
To: Dick Hardt <dick@sxip.com>
Subject: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
In-Reply-To: <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com>
References: <C15BD77C.B18A%scott@janrain.com> <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.2 (+)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc: Scott Kveton <scott@janrain.com>, Digital Identity Exchange <dix@ietf.org>, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
Hi Dick, I disagree - the RP is *responsible* for directing the user to the IdP; This is the highest risk point of MITM attack. OpenID MUST include something to "enable" a "safe redirect" or browser-chrome activation or whathaveyou. Granted - chrome etc shouldn't be in the spec, but *enabling* it for the future MUST. Kind Regards, Chris Drake Thursday, October 19, 2006, 1:56:05 PM, you wrote: DH> The MITM attack vector resolution is out of scope of OpenID DH> Authentication as it is a ceremony between the user and the IdP. The DH> user and IdP need to know they are talking directly to each other. DH> -- Dick DH> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote: >>> It is vulnerable to a man in the middle attack - the RP, instead of >>> redirecting to the IdP redirects to itself or some other site in >>> cahoots, then proxies the conversation between the user and the IdP >>> thereby compromising the users (global) credentials as they pass >>> through. >> >> Right, we've known about this for quite some time unfortunately >> there hasn't >> be a particularly easy solution to it and I classify this as one of >> those >> "The Internet Sucks" problems. I'm not saying we shouldn't/ >> couldn't do >> anything about it I just think the right solution that mixes >> ease-of-implementation and user need hasn't been found yet. >> >>> There really needs to be user-agent support to avoid that - either >>> something CardSpace like, or browser plugin that only ever presents a >>> pre-authenticated user. >> >> I think we're headed in this direction. However, we have to crawl >> before we >> can walk. At least solving a big chunk of the use cases, getting some >> momentum behind the platform and solving a specific problem for users >> *today* is better than trying to build the perfect tool. We can >> talk and >> talk on these lists but we really don't know how users are going to >> use this >> stuff (or abuse it for that matter) until its out there and working >> in the >> wild. >> >> I can't emphasize more the fact that with every passing day that we >> don't >> have OpenID v2.0 out the door, we're losing momentum from fixing >> specific >> user problems that are solved in the existing specification. >> >> - Scott >> >> _______________________________________________ >> general mailing list >> general@openid.net >> http://openid.net/mailman/listinfo/general >> >> DH> _______________________________________________ DH> general mailing list DH> general@openid.net DH> http://openid.net/mailman/listinfo/general _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: Gathering requirements for in-browser O… Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: [dix] Re: Gathering requirements for in-brows… Dick Hardt
- [dix] Re: Gathering requirements for in-browser O… Dick Hardt
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re[4]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[4]: [dix] Re: Gathering requirements for i… Dick Hardt