[OpenID] OpenID support on Firefox 3

Peter Williams pwilliams at rapattoni.com
Tue Jul 17 11:38:23 UTC 2007


Now what  useful post. 
 
 
 
There was actually information in there that soft of defined design requirements for 

		1. anti-phishing properties of a sp-initiated webSSO protocol
		 
		2. certified browsers - what a certified browser component must do

I heard some implied statements (that may be incorrect; I'm fishing a little)

		3. only certified browser components can accomplish these goals (E.g. a web proxy cannot; an IDP-initiated flow cannot)
		 
		4. SOAP flows are not addressed by certified browser anti-phishing components
		 
		5. Ajax flows in JavaScript are not addressed by certified browser anti-phishing components

 
I heard the following technical statements:-
 

		A) 'password-manager' + 'form complete' in Firefox product gives anti-phishing countermeasures to (advanced-grade) human users - but the web protocol flow must be designed to support those tools. 
		 
		B) OpenID is a web flow, and must adopt some design rules.
		 
		C) anti-phishing requires a trusted browser component, that can detect phishing. It will apply various stateful flow monitor to an instance of a web flow
		 
		D) The trusted browser's web flow monitor shall at least detect for the property of "protocol flow continuity."
		 
		E) "protocol flow continuity" provides for the "confidence" element of an anti-phishing strategy
		 
		F) certified Browsers require that the OP provider - in OpenID's sp-initiated webSSO flow  - behave a certain way - to allow phishing signature detection by the protocol flow inspection logic (E.g. detect lack of "protocol flow continuity")
		 
		G) the most critical flow behavior in OpenID concerns the phase of IDP discovery
		 
		H) VeriSign Seatbelt has some valuable proprietary IP in the area of IDP discovery as it related to anti-phishing protocol design; it is not open/community-owner property. The techniques are not published; though appear to be positively NDA-reviewed.

 
 Peter.
 
 
________________________________

From: general-bounces at openid.net on behalf of Boris Erdmann
Sent: Tue 7/17/2007 12:49 AM
To: John
Cc: general at openid.net
Subject: Re: [OpenID] OpenID support on Firefox 3



John,

the current official state of OpenID support for firefox is this:
http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#P3_7

To my knowledge there are no real ideas of what it should look like either.

In my mind there are two goals that native support should achieve:

* build confidence
* support usability

technically speaking this would mean for example

* provide counter measures for spoofing, phishing
* support for multiple identities, providers and roaming

Technically speaking, one could say that firefox already does a lot of
these things: By using password manager you have an instant indication
if you are being phished, and form completion provides some sort of
drop down identity selector. But these definitively fail the goals,
they are not for the average user (and cannot be used roamingly)

Unfortunately there is a problem: When it comes to phishing, OpenID is
underspecified with respect to the protocol flow. Thus, implementing
"confidence" is not trivial. One example:

OpenID makes no assumption on protocol flow continuity. So if you
visit an RP and enter your OpenID, it is perfectly valid if RP does
not redirect you to your provider. RP can choose to do so at a later
point in time. It is even perfectly valid that RP redirects you
somewhere completely else. One could argue if that is good behavior or
not. But how would a trusted browser component know, if that is
phishing or not?

As far as I can see, solid phish detection is not possible as of now.
Not without specifying some unspoken assumptions. Try implementing
one. It will break jyte for example: Sign up with jyte, and you will
be directed to botbouncer.com

Thus, OpenID needs a complementing specification or rule set for OPs,
so that browsers can get grip of the protocol flow.

The most advanced step into the direction of OP discovery or an OP
interface signature (can someone please come up with a better term for
this?!) to me seems the VeriSign SeatBelt "opconfig" specification.
Though by far not perfect this is what we are about to have for some
time. On the other hand it is neither open nor released, currently. So
this is nothing for mozilla to implement...

Boris


On 7/16/07, John <john at proionta.gr> wrote:
> What does the built-in OpenID functionality of Firefox 3 look like?
>
> I would expect a red button that allows you to log on to any site with a
> single click (which would turn green then), together with a drop-down
> button (similar to that on the Back and Next buttons) that would allow
> me to log on to the site I'm looking at with a different OpenID account
> than my default account or the account I used previously to log on to
> that site.
>
> Is the functionality anything like what I describe above? Is it better?
> Worse?
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general





More information about the general mailing list