Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Dick Hardt <dick@sxip.com> Thu, 19 October 2006 16:54 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GabAP-000829-8y; Thu, 19 Oct 2006 12:54:49 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gab7p-0001sI-AB for dix@ietf.org; Thu, 19 Oct 2006 12:52:09 -0400
Received: from marlin.sxip.com ([199.60.48.20] helo=mail1.sxip.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gaazj-0006Om-Tr for dix@ietf.org; Thu, 19 Oct 2006 12:43:50 -0400
Received: from [192.168.1.105] (d207-6-234-158.bchsia.telus.net [207.6.234.158]) (authenticated bits=0) by mail1.sxip.com (8.13.5/8.13.5) with ESMTP id k9JGhbh7097272 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 19 Oct 2006 09:43:37 -0700 (PDT) (envelope-from dick@sxip.com)
In-Reply-To: <1441909800.20061020023524@pobox.com>
References: <C15BD77C.B18A%scott@janrain.com> <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com> <1441909800.20061020023524@pobox.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
X-Priority: 3 (Normal)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <DBA24B83-A952-41AC-AA95-AC6B62D596F7@sxip.com>
Content-Transfer-Encoding: 7bit
From: Dick Hardt <dick@sxip.com>
Subject: Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Date: Thu, 19 Oct 2006 09:43:31 -0700
To: Chris Drake <christopher@pobox.com>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on marlin.sxip.com
X-Scanned-By: MIMEDefang 2.54 on 199.60.48.141
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
Cc: Scott Kveton <scott@janrain.com>, Digital Identity Exchange <dix@ietf.org>, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
Hi Chris I agree this is a risk point, but that it belongs in the security considerations that the IdP must ensure it is talking directly to the user. There is no reason why there needs to be a standard way of solving this though. One IdP may do it one way, another a different way. It could also be solved by the browser. It is out of scope of the specification ust like how the user authenticates to the IdP is out of scope. If you have an idea on something that the RP would do, I'd love to hear it, and then it would be in scope. -- Dick On 19-Oct-06, at 9:35 AM, Chris Drake wrote: > Hi Dick, > > I disagree - the RP is *responsible* for directing the user to the > IdP; This is the highest risk point of MITM attack. OpenID MUST > include something to "enable" a "safe redirect" or browser-chrome > activation or whathaveyou. Granted - chrome etc shouldn't be in the > spec, but *enabling* it for the future MUST. > > Kind Regards, > Chris Drake > > > Thursday, October 19, 2006, 1:56:05 PM, you wrote: > > DH> The MITM attack vector resolution is out of scope of OpenID > DH> Authentication as it is a ceremony between the user and the > IdP. The > DH> user and IdP need to know they are talking directly to each other. > > DH> -- Dick > > DH> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote: > >>>> It is vulnerable to a man in the middle attack - the RP, instead of >>>> redirecting to the IdP redirects to itself or some other site in >>>> cahoots, then proxies the conversation between the user and the IdP >>>> thereby compromising the users (global) credentials as they pass >>>> through. >>> >>> Right, we've known about this for quite some time unfortunately >>> there hasn't >>> be a particularly easy solution to it and I classify this as one of >>> those >>> "The Internet Sucks" problems. I'm not saying we shouldn't/ >>> couldn't do >>> anything about it I just think the right solution that mixes >>> ease-of-implementation and user need hasn't been found yet. >>> >>>> There really needs to be user-agent support to avoid that - either >>>> something CardSpace like, or browser plugin that only ever >>>> presents a >>>> pre-authenticated user. >>> >>> I think we're headed in this direction. However, we have to crawl >>> before we >>> can walk. At least solving a big chunk of the use cases, getting >>> some >>> momentum behind the platform and solving a specific problem for >>> users >>> *today* is better than trying to build the perfect tool. We can >>> talk and >>> talk on these lists but we really don't know how users are going to >>> use this >>> stuff (or abuse it for that matter) until its out there and working >>> in the >>> wild. >>> >>> I can't emphasize more the fact that with every passing day that we >>> don't >>> have OpenID v2.0 out the door, we're losing momentum from fixing >>> specific >>> user problems that are solved in the existing specification. >>> >>> - Scott >>> >>> _______________________________________________ >>> general mailing list >>> general@openid.net >>> http://openid.net/mailman/listinfo/general >>> >>> > > DH> _______________________________________________ > DH> general mailing list > DH> general@openid.net > DH> http://openid.net/mailman/listinfo/general > > > > _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: Gathering requirements for in-browser O… Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: [dix] Re: Gathering requirements for in-brows… Dick Hardt
- [dix] Re: Gathering requirements for in-browser O… Dick Hardt
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re[4]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[4]: [dix] Re: Gathering requirements for i… Dick Hardt