RE: Re[2]: [dix] Re: Gathering requirements for in-browser OpenIDsupport
"Recordon, David" <drecordon@verisign.com> Thu, 19 October 2006 18:31 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GacgO-0001Jy-8A; Thu, 19 Oct 2006 14:31:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GacgN-0001Jt-25 for dix@ietf.org; Thu, 19 Oct 2006 14:31:55 -0400
Received: from colibri.verisign.com ([65.205.251.74]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GacgK-000415-3a for dix@ietf.org; Thu, 19 Oct 2006 14:31:55 -0400
Received: from mou1wnexcn01.vcorp.ad.vrsn.com (mailer1.verisign.com [65.205.251.34]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id k9JIVp4l011078; Thu, 19 Oct 2006 11:31:51 -0700
Received: from MOU1WNEXMB14.vcorp.ad.vrsn.com ([10.25.13.245]) by mou1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 19 Oct 2006 11:30:13 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: Re[2]: [dix] Re: Gathering requirements for in-browser OpenIDsupport
Date: Thu, 19 Oct 2006 11:30:13 -0700
Message-ID: <7E7CA24460925C44AEB4F202BA7E45F302B51D@MOU1WNEXMB14.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Re[2]: [dix] Re: Gathering requirements for in-browser OpenIDsupport
Thread-Index: Acbzq7a5AYmgiabOTkOTVyMDkTvF/gAAMnzA
From: "Recordon, David" <drecordon@verisign.com>
To: andy.dale@ootao.com
X-OriginalArrivalTime: 19 Oct 2006 18:30:13.0524 (UTC) FILETIME=[9DDF9D40:01C6F3AC]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: ea36de7a5e28e9b4461c8d685f4e97f1
Cc: Digital Identity Exchange <dix@ietf.org>, specs@openid.net, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2141606242=="
Errors-To: dix-bounces@ietf.org
Andy, I think it is incredibly useful in showing the technology needed to help protect users with systems like this. I'd love to see it as part of the Heraldry project, you are already a committer, assuming you'd be willing to contribute it. --David ________________________________ From: specs-bounces@openid.net [mailto:specs-bounces@openid.net] On Behalf Of andy.dale@ootao.com Sent: Wednesday, October 18, 2006 11:44 PM To: Digital Identity Exchange Cc: Digital Identity Exchange; specs@openid.net; general@openid.net Subject: Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenIDsupport I'd be interested to hear if people think the ph-off plugin is useful or not.... If not why not? If people think it's useful then I will happily extend it and make it more usable and I will put it into whatever open source project would like to house it. I built it as a proof of concept that it _could_ be done... Now the question of _should_ it be done :-) http://chile.ootao.com/phoff/ Andy Dale ooTao, Inc. Phone: 877-213-7935 Fax: 877-213-7935 i-name: =Andy.Dale http://xri.net/=andy.dale ************************************************************************ *** If you don't have an i-name yet use this link to visit one of our partners and buy one: http://www.ezibroker.net/partners.html ************************************************************************ *** Chris Drake <christopher@pobox.com> 10/18/2006 07:20 PM Please respond to Digital Identity Exchange <dix@ietf.org> To Scott Kveton <scott@janrain.com> cc specs@openid.net, general@openid.net, Mike Glover <mpg4@janrain.com>, Digital Identity Exchange <dix@ietf.org> Subject Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support Hi Scott, All solutions for client-based MITM and phishing prevention can easily be built on top of OpenID 2.0 if we adopt the OpenIDHTTPAuth proposal. We can then leave these people to build their tools and protection howsoever they like, safe in the knowledge that when it's *done*, there will be a range of new plugins that will immediately work with all OpenID 2.0 enabled sites - and best of all - it does not have to hold up the OpenID 2.0 development in the meantime. The only thing we need to give to these tools is a way to get the login process started - that is - OpenIDHTTPAuth: the downloaded plugin needs to be able to get an entry point for the OpenID CGI code on the web site. ----------- Here is a copy of my vote to include the above proposal, which contains more info abut it too: Hi, Why's this proposal "depreciated" ? ( http://www.lifewiki.net/openid/OpenIDProposals ) I'm casting my vote here: +1 to [PROPOSAL] bare response / bare request Besides the listed uses, it also allows IdPs to layer privacy and delegation easily on top of OpenID, as well as permitting cool future features (like letting a user change something at their IdP, and have that change be "pushed out" to all relevant RPs). This is a small and simple to implement "hook" which I believe will be the dominating bit of OpenID protocol use in future. Alternatively - if we can standardize a way for the OpenIDHTTPAuth proposed extension to discover the RP's OpenID "entry point" [so as to reliably eliminate the "optional" first step proposed here http://www.lifewiki.net/openid/OpenIDHTTPAuth ] - this is a good working alterative way to accommodate the "bare response" part that we need. So... +1 to OpenIDHTTPAuth - on the proviso RP's publish an endpoint URL that's somehow available to scripts, plugins, software agents that encounter OpenID login pages. Suggestion: (for OpenID-enabled login pages):- <link rel="openid.httpauth" href="http://my.rp.com/openid/blah.cgi"> ----------- Kind Regards, Chris Drake Thursday, October 19, 2006, 6:07:08 AM: >> It is vulnerable to a man in the middle attack - the RP, instead of >> redirecting to the IdP redirects to itself or some other site in >> cahoots, then proxies the conversation between the user and the IdP >> thereby compromising the users (global) credentials as they pass through. SK> Right, we've known about this for quite some time unfortunately there hasn't SK> be a particularly easy solution to it and I classify this as one of those SK> "The Internet Sucks" problems. I'm not saying we shouldn't/couldn't do SK> anything about it I just think the right solution that mixes SK> ease-of-implementation and user need hasn't been found yet. >> There really needs to be user-agent support to avoid that - either >> something CardSpace like, or browser plugin that only ever presents a >> pre-authenticated user. SK> I think we're headed in this direction. However, we have to crawl before we SK> can walk. At least solving a big chunk of the use cases, getting some SK> momentum behind the platform and solving a specific problem for users SK> *today* is better than trying to build the perfect tool. We can talk and SK> talk on these lists but we really don't know how users are going to use this SK> stuff (or abuse it for that matter) until its out there and working in the SK> wild. SK> I can't emphasize more the fact that with every passing day that we don't SK> have OpenID v2.0 out the door, we're losing momentum from fixing specific SK> user problems that are solved in the existing specification. SK> - Scott SK> _______________________________________________ SK> general mailing list SK> general@openid.net SK> http://openid.net/mailman/listinfo/general _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- RE: Re[2]: [dix] Re: Gathering requirements for i… Recordon, David