IETF Logo Mail Archive

Re: [dix] Re: Gathering requirements for in-browser OpenID support

Pete Rowley <prowley@redhat.com> Wed, 18 October 2006 18:49 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaGTX-0003nI-QP; Wed, 18 Oct 2006 14:49:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GaGTW-0003nD-AB for dix@ietf.org; Wed, 18 Oct 2006 14:49:10 -0400
Received: from mx1.redhat.com ([66.187.233.31]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GaGTU-0006Ik-2S for dix@ietf.org; Wed, 18 Oct 2006 14:49:10 -0400
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k9IIn580014322; Wed, 18 Oct 2006 14:49:05 -0400
Received: from potter.sfbay.redhat.com (potter.sfbay.redhat.com [172.16.27.15]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id k9IIn44N018128; Wed, 18 Oct 2006 14:49:05 -0400
Received: from [172.16.25.166] (dhcp-172-16-25-166.sfbay.redhat.com [172.16.25.166]) by potter.sfbay.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k9IIn1q9013364; Wed, 18 Oct 2006 14:49:02 -0400
Message-ID: <4536771C.1000505@redhat.com>
Date: Wed, 18 Oct 2006 11:49:00 -0700
From: Pete Rowley <prowley@redhat.com>
User-Agent: Thunderbird 1.5.0.7 (X11/20060911)
MIME-Version: 1.0
To: Mike Glover <mpg4@janrain.com>
Subject: Re: [dix] Re: Gathering requirements for in-browser OpenID support
References: <4533DD00.6060501@mozilla.com> <C1592C34.AC79%scott@janrain.com> <20061018171523.GD25194@narn.hozed.org> <45366942.50307@redhat.com> <20061018110159.453e322b@rabbit.janrain.com>
In-Reply-To: <20061018110159.453e322b@rabbit.janrain.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 944ecb6e61f753561f559a497458fb4f
Cc: Digital Identity Exchange <dix@ietf.org>, general@openid.net
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Digital Identity Exchange <dix@ietf.org>
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0221815543=="
Errors-To: dix-bounces@ietf.org

Mike Glover wrote:
> Pete-
>
>   Why do you have to trust the RP at all?  All the RP ever sees is an assertion that you control the identity URL that you provided. 
That is what the RP sees if they play along with the scheme.
>  Do you see a vulnerability that I'm missing?
>
>   
It is vulnerable to a man in the middle attack - the RP, instead of 
redirecting to the IdP redirects to itself or some other site in 
cahoots, then proxies the conversation between the user and the IdP 
thereby compromising the users (global) credentials as they pass through.

There really needs to be user-agent support to avoid that - either 
something CardSpace like, or browser plugin that only ever presents a 
pre-authenticated user.

> -mike
>
> On Wed, 18 Oct 2006 10:49:54 -0700
> Pete Rowley <prowley@redhat.com> wrote:
>  I also think it _is_ a requirement that the 
>   
>> browser vendors support this - right now you have to trust that the RP 
>> is a white hat.
>>
>>     


-- 
Pete


_______________________________________________
dix mailing list
dix@ietf.org
https://www1.ietf.org/mailman/listinfo/dix

v2.23.0 | Report a Bug | By Email