Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Dick Hardt <dick@sxip.com> Thu, 19 October 2006 16:53 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gab9P-000376-SL; Thu, 19 Oct 2006 12:53:47 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gab7n-0001qK-GO for dix@ietf.org; Thu, 19 Oct 2006 12:52:07 -0400
Received: from marlin.sxip.com ([199.60.48.20] helo=mail1.sxip.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gab1P-0006nN-LN for dix@ietf.org; Thu, 19 Oct 2006 12:45:33 -0400
Received: from [192.168.1.105] (d207-6-234-158.bchsia.telus.net [207.6.234.158]) (authenticated bits=0) by mail1.sxip.com (8.13.5/8.13.5) with ESMTP id k9JGjT7Q097435 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 19 Oct 2006 09:45:29 -0700 (PDT) (envelope-from dick@sxip.com)
In-Reply-To: <000d01c6f39d$3a1f4260$d27d11ac@AMSOFTWachob>
References: <000d01c6f39d$3a1f4260$d27d11ac@AMSOFTWachob>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <1272B7BB-A670-4F00-A482-2AAE6AFAE5FC@sxip.com>
Content-Transfer-Encoding: 7bit
From: Dick Hardt <dick@sxip.com>
Subject: Re: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Date: Thu, 19 Oct 2006 09:45:23 -0700
To: Gabe Wachob <gabe.wachob@amsoft.net>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on marlin.sxip.com
X-Scanned-By: MIMEDefang 2.54 on 199.60.48.141
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 093efd19b5f651b2707595638f6c4003
Cc: general@openid.net, 'Digital Identity Exchange' <dix@ietf.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
Just to keep beating that dead horse some more, this demonstrates why *how* to solve the issue is out of scope, but that there is an issue MUST be in the spec. :-) btw: that is a cool extension, but wait until you see ours! ;-) -- Dick On 19-Oct-06, at 9:40 AM, Gabe Wachob wrote: > And not to beat a dead horse to a pulp, but the Ph-Off Firefox > extension > from OOTao provides exactly this sort of trustable (based on SSL > certs) > visual indicator that you are actually talking to your real OpenID > IDP. Its > obviously an early iteration, but it *is* there and performs the > function > adequately. > > http://chile.ootao.com/phoff/ > > -Gabe > > >> -----Original Message----- >> From: general-bounces@openid.net [mailto:general- >> bounces@openid.net] On >> Behalf Of Chris Drake >> Sent: Thursday, October 19, 2006 9:35 AM >> To: Dick Hardt >> Cc: Digital Identity Exchange; general@openid.net >> Subject: Re[2]: [dix] Re: Gathering requirements for in-browser >> OpenID >> support >> >> Hi Dick, >> >> I disagree - the RP is *responsible* for directing the user to the >> IdP; This is the highest risk point of MITM attack. OpenID MUST >> include something to "enable" a "safe redirect" or browser-chrome >> activation or whathaveyou. Granted - chrome etc shouldn't be in the >> spec, but *enabling* it for the future MUST. >> >> Kind Regards, >> Chris Drake >> >> >> Thursday, October 19, 2006, 1:56:05 PM, you wrote: >> >> DH> The MITM attack vector resolution is out of scope of OpenID >> DH> Authentication as it is a ceremony between the user and the >> IdP. The >> DH> user and IdP need to know they are talking directly to each >> other. >> >> DH> -- Dick >> >> DH> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote: >> >>>>> It is vulnerable to a man in the middle attack - the RP, >>>>> instead of >>>>> redirecting to the IdP redirects to itself or some other site in >>>>> cahoots, then proxies the conversation between the user and the >>>>> IdP >>>>> thereby compromising the users (global) credentials as they pass >>>>> through. >>>> >>>> Right, we've known about this for quite some time unfortunately >>>> there hasn't >>>> be a particularly easy solution to it and I classify this as one of >>>> those >>>> "The Internet Sucks" problems. I'm not saying we shouldn't/ >>>> couldn't do >>>> anything about it I just think the right solution that mixes >>>> ease-of-implementation and user need hasn't been found yet. >>>> >>>>> There really needs to be user-agent support to avoid that - either >>>>> something CardSpace like, or browser plugin that only ever >>>>> presents a >>>>> pre-authenticated user. >>>> >>>> I think we're headed in this direction. However, we have to crawl >>>> before we >>>> can walk. At least solving a big chunk of the use cases, >>>> getting some >>>> momentum behind the platform and solving a specific problem for >>>> users >>>> *today* is better than trying to build the perfect tool. We can >>>> talk and >>>> talk on these lists but we really don't know how users are going to >>>> use this >>>> stuff (or abuse it for that matter) until its out there and working >>>> in the >>>> wild. >>>> >>>> I can't emphasize more the fact that with every passing day that we >>>> don't >>>> have OpenID v2.0 out the door, we're losing momentum from fixing >>>> specific >>>> user problems that are solved in the existing specification. >>>> >>>> - Scott >>>> >>>> _______________________________________________ >>>> general mailing list >>>> general@openid.net >>>> http://openid.net/mailman/listinfo/general >>>> >>>> >> >> DH> _______________________________________________ >> DH> general mailing list >> DH> general@openid.net >> DH> http://openid.net/mailman/listinfo/general >> >> >> >> _______________________________________________ >> general mailing list >> general@openid.net >> http://openid.net/mailman/listinfo/general > > _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: Gathering requirements for in-browser O… Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: [dix] Re: Gathering requirements for in-brows… Dick Hardt
- [dix] Re: Gathering requirements for in-browser O… Dick Hardt
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re[4]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[4]: [dix] Re: Gathering requirements for i… Dick Hardt