Re: [dix] Re: Gathering requirements for in-browser OpenID support
Dick Hardt <dick@sxip.com> Thu, 19 October 2006 03:56 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaP13-0002hI-Ao; Wed, 18 Oct 2006 23:56:21 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaP12-0002hC-PK for dix@ietf.org; Wed, 18 Oct 2006 23:56:20 -0400
Received: from marlin.sxip.com ([199.60.48.20] helo=mail1.sxip.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaP10-0003h6-Cb for dix@ietf.org; Wed, 18 Oct 2006 23:56:20 -0400
Received: from [192.168.1.106] (d207-6-234-158.bchsia.telus.net [207.6.234.158]) (authenticated bits=0) by mail1.sxip.com (8.13.5/8.13.5) with ESMTP id k9J3uA3W073865 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 18 Oct 2006 20:56:10 -0700 (PDT) (envelope-from dick@sxip.com)
In-Reply-To: <C15BD77C.B18A%scott@janrain.com>
References: <C15BD77C.B18A%scott@janrain.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <494BE94B-A5B6-4336-8205-2C5BF6D568C8@sxip.com>
Content-Transfer-Encoding: 7bit
From: Dick Hardt <dick@sxip.com>
Subject: Re: [dix] Re: Gathering requirements for in-browser OpenID support
Date: Wed, 18 Oct 2006 20:56:05 -0700
To: Scott Kveton <scott@janrain.com>
X-Mailer: Apple Mail (2.752.3)
X-Spam-Status: No, score=0.6 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.1.3
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on marlin.sxip.com
X-Scanned-By: MIMEDefang 2.54 on 199.60.48.141
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: general@openid.net, Mike Glover <mpg4@janrain.com>, Digital Identity Exchange <dix@ietf.org>
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Errors-To: dix-bounces@ietf.org
The MITM attack vector resolution is out of scope of OpenID Authentication as it is a ceremony between the user and the IdP. The user and IdP need to know they are talking directly to each other. -- Dick On 18-Oct-06, at 1:07 PM, Scott Kveton wrote: >> It is vulnerable to a man in the middle attack - the RP, instead of >> redirecting to the IdP redirects to itself or some other site in >> cahoots, then proxies the conversation between the user and the IdP >> thereby compromising the users (global) credentials as they pass >> through. > > Right, we've known about this for quite some time unfortunately > there hasn't > be a particularly easy solution to it and I classify this as one of > those > "The Internet Sucks" problems. I'm not saying we shouldn't/ > couldn't do > anything about it I just think the right solution that mixes > ease-of-implementation and user need hasn't been found yet. > >> There really needs to be user-agent support to avoid that - either >> something CardSpace like, or browser plugin that only ever presents a >> pre-authenticated user. > > I think we're headed in this direction. However, we have to crawl > before we > can walk. At least solving a big chunk of the use cases, getting some > momentum behind the platform and solving a specific problem for users > *today* is better than trying to build the perfect tool. We can > talk and > talk on these lists but we really don't know how users are going to > use this > stuff (or abuse it for that matter) until its out there and working > in the > wild. > > I can't emphasize more the fact that with every passing day that we > don't > have OpenID v2.0 out the door, we're losing momentum from fixing > specific > user problems that are solved in the existing specification. > > - Scott > > _______________________________________________ > general mailing list > general@openid.net > http://openid.net/mailman/listinfo/general > > _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- [dix] Re: Gathering requirements for in-browser O… Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re: [dix] Re: Gathering requirements for in-brows… Pete Rowley
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: [dix] Re: Gathering requirements for in-brows… Dick Hardt
- [dix] Re: Gathering requirements for in-browser O… Dick Hardt
- Re[2]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re: Re[2]: [dix] Re: Gathering requirements for i… Dick Hardt
- Re[4]: [dix] Re: Gathering requirements for in-br… Chris Drake
- Re: Re[4]: [dix] Re: Gathering requirements for i… Dick Hardt