Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Chris Drake <christopher@pobox.com> Thu, 19 October 2006 02:21 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaNXF-0001Tn-Kx; Wed, 18 Oct 2006 22:21:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaNXD-0001Tc-QR for dix@ietf.org; Wed, 18 Oct 2006 22:21:27 -0400
Received: from copa.geek.net.au ([203.217.18.13] helo=srve.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaNWK-0000ub-Vo for dix@ietf.org; Wed, 18 Oct 2006 22:20:39 -0400
Received: from BLANK (203-217-18-9.perm.iinet.net.au [203.217.18.9]) by srve.com (8.13.6/8.12.11) with ESMTP id k9J2KKac012710 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Thu, 19 Oct 2006 02:20:21 GMT
Date: Thu, 19 Oct 2006 12:20:27 +1000
From: Chris Drake <christopher@pobox.com>
X-Priority: 3 (Normal)
Message-ID: <1911839956.20061019122027@pobox.com>
To: Scott Kveton <scott@janrain.com>
Subject: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
In-Reply-To: <C15BD77C.B18A%scott@janrain.com>
References: <4536771C.1000505@redhat.com> <C15BD77C.B18A%scott@janrain.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 1.2 (+)
X-Scan-Signature: 1a1bf7677bfe77d8af1ebe0e91045c5b
Cc: specs@openid.net, general@openid.net, Mike Glover <mpg4@janrain.com>, Digital Identity Exchange <dix@ietf.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
Hi Scott, All solutions for client-based MITM and phishing prevention can easily be built on top of OpenID 2.0 if we adopt the OpenIDHTTPAuth proposal. We can then leave these people to build their tools and protection howsoever they like, safe in the knowledge that when it's *done*, there will be a range of new plugins that will immediately work with all OpenID 2.0 enabled sites - and best of all - it does not have to hold up the OpenID 2.0 development in the meantime. The only thing we need to give to these tools is a way to get the login process started - that is - OpenIDHTTPAuth: the downloaded plugin needs to be able to get an entry point for the OpenID CGI code on the web site. ----------- Here is a copy of my vote to include the above proposal, which contains more info abut it too: Hi, Why's this proposal "depreciated" ? ( http://www.lifewiki.net/openid/OpenIDProposals ) I'm casting my vote here: +1 to [PROPOSAL] bare response / bare request Besides the listed uses, it also allows IdPs to layer privacy and delegation easily on top of OpenID, as well as permitting cool future features (like letting a user change something at their IdP, and have that change be "pushed out" to all relevant RPs). This is a small and simple to implement "hook" which I believe will be the dominating bit of OpenID protocol use in future. Alternatively - if we can standardize a way for the OpenIDHTTPAuth proposed extension to discover the RP's OpenID "entry point" [so as to reliably eliminate the "optional" first step proposed here http://www.lifewiki.net/openid/OpenIDHTTPAuth ] - this is a good working alterative way to accommodate the "bare response" part that we need. So... +1 to OpenIDHTTPAuth - on the proviso RP's publish an endpoint URL that's somehow available to scripts, plugins, software agents that encounter OpenID login pages. Suggestion: (for OpenID-enabled login pages):- <link rel="openid.httpauth" href="http://my.rp.com/openid/blah.cgi"> ----------- Kind Regards, Chris Drake Thursday, October 19, 2006, 6:07:08 AM: >> It is vulnerable to a man in the middle attack - the RP, instead of >> redirecting to the IdP redirects to itself or some other site in >> cahoots, then proxies the conversation between the user and the IdP >> thereby compromising the users (global) credentials as they pass through. SK> Right, we've known about this for quite some time unfortunately there hasn't SK> be a particularly easy solution to it and I classify this as one of those SK> "The Internet Sucks" problems. I'm not saying we shouldn't/couldn't do SK> anything about it I just think the right solution that mixes SK> ease-of-implementation and user need hasn't been found yet. >> There really needs to be user-agent support to avoid that - either >> something CardSpace like, or browser plugin that only ever presents a >> pre-authenticated user. SK> I think we're headed in this direction. However, we have to crawl before we SK> can walk. At least solving a big chunk of the use cases, getting some SK> momentum behind the platform and solving a specific problem for users SK> *today* is better than trying to build the perfect tool. We can talk and SK> talk on these lists but we really don't know how users are going to use this SK> stuff (or abuse it for that matter) until its out there and working in the SK> wild. SK> I can't emphasize more the fact that with every passing day that we don't SK> have OpenID v2.0 out the door, we're losing momentum from fixing specific SK> user problems that are solved in the existing specification. SK> - Scott SK> _______________________________________________ SK> general mailing list SK> general@openid.net SK> http://openid.net/mailman/listinfo/general _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: Gathering requirements for in-browser O… Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: [dix] Re: Gathering requirements for in-brows… Dick Hardt
- [dix] Re: Gathering requirements for in-browser O… Dick Hardt
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re[4]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[4]: [dix] Re: Gathering requirements for i… Dick Hardt