IETF Logo Mail Archive

Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support

Dick Hardt <dick@sxip.com> Thu, 19 October 2006 16:54 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GabAP-000829-8y; Thu, 19 Oct 2006 12:54:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gab7p-0001sI-AB for dix@ietf.org; Thu, 19 Oct 2006 12:52:09 -0400
Received: from marlin.sxip.com ([199.60.48.20] helo=mail1.sxip.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gaazj-0006Om-Tr for dix@ietf.org; Thu, 19 Oct 2006 12:43:50 -0400
Received: from [192.168.1.105] (d207-6-234-158.bchsia.telus.net [207.6.234.158]) (authenticated bits=0) by mail1.sxip.com (8.13.5/8.13.5) with ESMTP id k9JGhbh7097272 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 19 Oct 2006 09:43:37 -0700 (PDT) (envelope-from dick@sxip.com)
In-Reply-To: <1441909800.20061020023524@pobox.com>
References: <C15BD77C.B18A%scott@janrain.com> <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com> <1441909800.20061020023524@pobox.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <DBA24B83-A952-41AC-AA95-AC6B62D596F7@sxip.com>
Content-Transfer-Encoding: 7bit
From: Dick Hardt <dick@sxip.com>
Subject: Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Date: Thu, 19 Oct 2006 09:43:31 -0700
To: Chris Drake <christopher@pobox.com>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on marlin.sxip.com
X-Scanned-By: MIMEDefang 2.54 on 199.60.48.141
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc: Scott Kveton <scott@janrain.com>, Digital Identity Exchange <dix@ietf.org>, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Hi Chris

I agree this is a risk point, but that it belongs in the security  
considerations that the IdP must ensure it is talking directly to the  
user. There is no reason why there needs to be a standard way of  
solving this though. One IdP may do it one way, another a different  
way. It could also be solved by the browser. It is out of scope of  
the specification ust like how the user authenticates to the IdP is  
out of scope.

If you have an idea on something that the RP would do, I'd love to  
hear it, and then it would be in scope.

-- Dick

On 19-Oct-06, at 9:35 AM, Chris Drake wrote:

> Hi Dick,
>
> I disagree - the RP is *responsible* for directing the user to the
> IdP;  This is the highest risk point of MITM attack.  OpenID MUST
> include something to "enable" a "safe redirect" or browser-chrome
> activation or whathaveyou.  Granted - chrome etc shouldn't be in the
> spec, but *enabling* it for the future MUST.
>
> Kind Regards,
> Chris Drake
>
>
> Thursday, October 19, 2006, 1:56:05 PM, you wrote:
>
> DH> The MITM attack vector resolution is out of scope of OpenID
> DH> Authentication as it is a ceremony between the user and the  
> IdP. The
> DH> user and IdP need to know they are talking directly to each other.
>
> DH> -- Dick
>
> DH> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote:
>
>>>> It is vulnerable to a man in the middle attack - the RP, instead of
>>>> redirecting to the IdP redirects to itself or some other site in
>>>> cahoots, then proxies the conversation between the user and the IdP
>>>> thereby compromising the users (global) credentials as they pass
>>>> through.
>>>
>>> Right, we've known about this for quite some time unfortunately
>>> there hasn't
>>> be a particularly easy solution to it and I classify this as one of
>>> those
>>> "The Internet Sucks" problems.  I'm not saying we shouldn't/
>>> couldn't do
>>> anything about it I just think the right solution that mixes
>>> ease-of-implementation and user need hasn't been found yet.
>>>
>>>> There really needs to be user-agent support to avoid that - either
>>>> something CardSpace like, or browser plugin that only ever  
>>>> presents a
>>>> pre-authenticated user.
>>>
>>> I think we're headed in this direction.  However, we have to crawl
>>> before we
>>> can walk.  At least solving a big chunk of the use cases, getting  
>>> some
>>> momentum behind the platform and solving a specific problem for  
>>> users
>>> *today* is better than trying to build the perfect tool.  We can
>>> talk and
>>> talk on these lists but we really don't know how users are going to
>>> use this
>>> stuff (or abuse it for that matter) until its out there and working
>>> in the
>>> wild.
>>>
>>> I can't emphasize more the fact that with every passing day that we
>>> don't
>>> have OpenID v2.0 out the door, we're losing momentum from fixing
>>> specific
>>> user problems that are solved in the existing specification.
>>>
>>> - Scott
>>>
>>> _______________________________________________
>>> general mailing list
>>> general@openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>
> DH> _______________________________________________
> DH> general mailing list
> DH> general@openid.net
> DH> http://openid.net/mailman/listinfo/general
>
>
>
>


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email