IETF Logo Mail Archive

Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support

Chris Drake <christopher@pobox.com> Thu, 19 October 2006 02:21 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaNXF-0001Tn-Kx; Wed, 18 Oct 2006 22:21:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaNXD-0001Tc-QR for dix@ietf.org; Wed, 18 Oct 2006 22:21:27 -0400
Received: from copa.geek.net.au ([203.217.18.13] helo=srve.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaNWK-0000ub-Vo for dix@ietf.org; Wed, 18 Oct 2006 22:20:39 -0400
Received: from BLANK (203-217-18-9.perm.iinet.net.au [203.217.18.9]) by srve.com (8.13.6/8.12.11) with ESMTP id k9J2KKac012710 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 19 Oct 2006 02:20:21 GMT
Date: Thu, 19 Oct 2006 12:20:27 +1000
From: Chris Drake <christopher@pobox.com>
X-Priority: 3 (Normal)
Message-ID: <1911839956.20061019122027@pobox.com>
To: Scott Kveton <scott@janrain.com>
Subject: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
In-Reply-To: <C15BD77C.B18A%scott@janrain.com>
References: <4536771C.1000505@redhat.com> <C15BD77C.B18A%scott@janrain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.2 (+)
X-Scan-Signature: 1a1bf7677bfe77d8af1ebe0e91045c5b
Cc: specs@openid.net, general@openid.net, Mike Glover <mpg4@janrain.com>, Digital Identity Exchange <dix@ietf.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org

Hi Scott,

All solutions for client-based MITM and phishing prevention can easily
be built on top of OpenID 2.0 if we adopt the OpenIDHTTPAuth proposal.

We can then leave these people to build their tools and protection
howsoever they like, safe in the knowledge that when it's *done*,
there will be a range of new plugins that will immediately work with
all OpenID 2.0 enabled sites - and best of all - it does not have to
hold up the OpenID 2.0 development in the meantime.

The only thing we need to give to these tools is a way to get the
login process started - that is - OpenIDHTTPAuth: the downloaded
plugin needs to be able to get an entry point for the OpenID CGI code
on the web site.

-----------

Here is a copy of my vote to include the above proposal, which
contains more info abut it too:


Hi,

Why's this proposal "depreciated" ?
( http://www.lifewiki.net/openid/OpenIDProposals )

I'm casting my vote here:

+1 to [PROPOSAL] bare response / bare request

Besides the listed uses, it also allows IdPs to layer privacy and
delegation easily on top of OpenID, as well as permitting cool future
features (like letting a user change something at their IdP, and have
that change be "pushed out" to all relevant RPs).

This is a small and simple to implement "hook" which I believe will be
the dominating bit of OpenID protocol use in future.

Alternatively - if we can standardize a way for the OpenIDHTTPAuth
proposed extension to discover the RP's OpenID "entry point" [so as to
reliably eliminate the "optional" first step proposed here
http://www.lifewiki.net/openid/OpenIDHTTPAuth ] - this is a good
working alterative way to accommodate the "bare response" part that we
need.

So...

+1 to OpenIDHTTPAuth - on the proviso RP's publish an endpoint URL
                       that's somehow available to scripts, plugins,
                       software agents that encounter OpenID login
                       pages.

                       Suggestion: (for OpenID-enabled login pages):-

  <link rel="openid.httpauth" href="http://my.rp.com/openid/blah.cgi">

-----------


Kind Regards,
Chris Drake


Thursday, October 19, 2006, 6:07:08 AM:

>> It is vulnerable to a man in the middle attack - the RP, instead of
>> redirecting to the IdP redirects to itself or some other site in
>> cahoots, then proxies the conversation between the user and the IdP
>> thereby compromising the users (global) credentials as they pass through.

SK> Right, we've known about this for quite some time unfortunately there hasn't
SK> be a particularly easy solution to it and I classify this as one of those
SK> "The Internet Sucks" problems.  I'm not saying we shouldn't/couldn't do
SK> anything about it I just think the right solution that mixes
SK> ease-of-implementation and user need hasn't been found yet.
 
>> There really needs to be user-agent support to avoid that - either
>> something CardSpace like, or browser plugin that only ever presents a
>> pre-authenticated user.

SK> I think we're headed in this direction.  However, we have to crawl before we
SK> can walk.  At least solving a big chunk of the use cases, getting some
SK> momentum behind the platform and solving a specific problem for users
SK> *today* is better than trying to build the perfect tool.  We can talk and
SK> talk on these lists but we really don't know how users are going to use this
SK> stuff (or abuse it for that matter) until its out there and working in the
SK> wild.

SK> I can't emphasize more the fact that with every passing day that we don't
SK> have OpenID v2.0 out the door, we're losing momentum from fixing specific
SK> user problems that are solved in the existing specification.

SK> - Scott

SK> _______________________________________________
SK> general mailing list
SK> general@openid.net
SK> http://openid.net/mailman/listinfo/general




_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email