Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support

Chris Drake <christopher@pobox.com> Thu, 19 October 2006 16:35 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gaarg-0004M0-MW; Thu, 19 Oct 2006 12:35:28 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gaarf-0004Do-AK for dix@ietf.org; Thu, 19 Oct 2006 12:35:27 -0400
Received: from copa.geek.net.au ([203.217.18.13] helo=srve.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaarZ-0004CR-Je for dix@ietf.org; Thu, 19 Oct 2006 12:35:27 -0400
Received: from BLANK (203-217-18-9.perm.iinet.net.au [203.217.18.9]) by srve.com (8.13.6/8.12.11) with ESMTP id k9JGZFuX005164 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 19 Oct 2006 16:35:15 GMT
Date: Fri, 20 Oct 2006 02:35:24 +1000
From: Chris Drake <christopher@pobox.com>
X-Priority: 3 (Normal)
Message-ID: <1441909800.20061020023524@pobox.com>
To: Dick Hardt <dick@sxip.com>
Subject: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
In-Reply-To: <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com>
References: <C15BD77C.B18A%scott@janrain.com> <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.2 (+)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Cc: Scott Kveton <scott@janrain.com>, Digital Identity Exchange <dix@ietf.org>, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Hi Dick,

I disagree - the RP is *responsible* for directing the user to the
IdP;  This is the highest risk point of MITM attack.  OpenID MUST
include something to "enable" a "safe redirect" or browser-chrome
activation or whathaveyou.  Granted - chrome etc shouldn't be in the
spec, but *enabling* it for the future MUST.

Kind Regards,
Chris Drake


Thursday, October 19, 2006, 1:56:05 PM, you wrote:

DH> The MITM attack vector resolution is out of scope of OpenID  
DH> Authentication as it is a ceremony between the user and the IdP. The
DH> user and IdP need to know they are talking directly to each other.

DH> -- Dick

DH> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote:

>>> It is vulnerable to a man in the middle attack - the RP, instead of
>>> redirecting to the IdP redirects to itself or some other site in
>>> cahoots, then proxies the conversation between the user and the IdP
>>> thereby compromising the users (global) credentials as they pass  
>>> through.
>>
>> Right, we've known about this for quite some time unfortunately  
>> there hasn't
>> be a particularly easy solution to it and I classify this as one of
>> those
>> "The Internet Sucks" problems.  I'm not saying we shouldn't/ 
>> couldn't do
>> anything about it I just think the right solution that mixes
>> ease-of-implementation and user need hasn't been found yet.
>>
>>> There really needs to be user-agent support to avoid that - either
>>> something CardSpace like, or browser plugin that only ever presents a
>>> pre-authenticated user.
>>
>> I think we're headed in this direction.  However, we have to crawl
>> before we
>> can walk.  At least solving a big chunk of the use cases, getting some
>> momentum behind the platform and solving a specific problem for users
>> *today* is better than trying to build the perfect tool.  We can  
>> talk and
>> talk on these lists but we really don't know how users are going to
>> use this
>> stuff (or abuse it for that matter) until its out there and working
>> in the
>> wild.
>>
>> I can't emphasize more the fact that with every passing day that we
>> don't
>> have OpenID v2.0 out the door, we're losing momentum from fixing  
>> specific
>> user problems that are solved in the existing specification.
>>
>> - Scott
>>
>> _______________________________________________
>> general mailing list
>> general@openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>

DH> _______________________________________________
DH> general mailing list
DH> general@openid.net
DH> http://openid.net/mailman/listinfo/general




_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix