[OpenID] 2-Headed OpenID Auth for Increased Security?
Paul Madsen
paulmadsen at rogers.com
Mon Dec 1 14:20:22 UTC 2008
We toyed with this idea in Liberty for SAML but never did anything with
it - partly because it would already work out of the box with SSO
protocols as they are if the RP coordinates the multiple authentications.
We did think of optimizations whereby you could eliminate some redirects
by having (in OpendID terminology) the first RP indicate to the first
OP the second OP in the openid.return_to - I'm not sure this would be
legal in OpenID?
A bit weird, as from the second OP's PoV, it would be getting an
unsolicited response from the first OP and would have to interpret it as
an implicit request for authentication ....
Alternatively, the RP could indicate to the first OP that it wanted to
chain requests to the second OP.
Neither model would seem to mitigate the 'bad OP' risk.
The other issue is how to describe such distributed authn in PAPE or
equivalent.
paul
David Fuelling wrote:
> Hey List,
>
> I've been thinking about the security of OpenID lately, dreaming about
> the day when I'll be able to use OpenID at my bank's website. One
> issue that I keep coming back to is that my OP (or a rogue employee at
> my OP) could masquerade as me at OpenID-enabled RP's across the web
> since the OP is a single authentication point in the OpenID ecosystem.
>
> To mitigate this problem, one idea I have would be to utilize a
> 2-headed OpenID auth scheme, whereby a "higher security" RP (like my
> bank) would require OpenID authentication assertions from two separate
> OP's. This would preclude somebody at OP #1 from masquerading as me,
> since any RP would require a second auth from a different OP, outside
> the control of the first OP.
>
> On the face of it all, this approach would seem to require two
> different OpenIDs (one for each OP). However, using Yadis/XRDS, one
> could specify a primary and secondary OP for a particular OpenID.
> Assuming that the user is logged-in to both OP's, this dual-auth may
> even go un-noticed by the user. Of course, an RP could also just
> allow the user to select two different OP's to use for auth assertions
> at login time.
>
> I suppose there are several ways to make this happen, but I'd
> appreciate any feedback on this idea...
>
> Thanks!
>
> David
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.552 / Virus Database: 270.9.11/1819 - Release Date: 29/11/2008 10:37 AM
>
--
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081201/9378a7c6/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 7497 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081201/9378a7c6/attachment-0002.gif>
More information about the general
mailing list