[OpenID] 2-Headed OpenID Auth for Increased Security?
Paul Madsen
paulmadsen at rogers.com
Wed Dec 3 11:34:08 UTC 2008
SitG Admin wrote:
>> We toyed with this idea in Liberty for SAML but never did anything
>> with it - partly because it would already work out of the box with
>> SSO protocols as they are if the RP coordinates the multiple
>> authentications.
>
> Exactly - the exciting answers here will not be "HOW can we do it?"
> but "WHY should we do it?".
>
>> We did think of optimizations whereby you could eliminate some
>> redirects by having (in OpendID terminology) the first RP indicate
>> to the first OP the second OP in the openid.return_to - I'm not sure
>> this would be legal in OpenID?
>
> What do you mean by the first RP?
yes, 'first' is redundant, there is only the one
>
> My understanding of the process here (my own poor statements
> notwithstanding) is that the user would have multiple *URI's*, each
> with their own OP, and use all of these with a single (suspicious) RP.
yes, and by default the sequence would be
RP-OP1-RP-OP2-RP
a permutation would have the first OP, after authenticating the user,
redirect the browser to the second OP rather than back to the RP. Only
after authenticating would the browser be sent to the RP
RP-OP1-OP2-RP
But this muddies up the request/response model and creates privacy
implications
if its the RP doing the coordinating, its not clear to me what the
relevance of XRDS to enable or optimize this. If an RP cares enough to
require 2 authns, it will likely have its own idea as to what OPs are
appropriate, notwithstanding any 'primary' or 'secondary' designations
>
> -Shade
>
>
--
ConnectID <http://feeds.feedburner.com/%7Er/blogspot/gMwy/%7E6/1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081203/be6fd5a7/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gMwy.1.gif
Type: image/gif
Size: 8744 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081203/be6fd5a7/attachment-0002.gif>
More information about the general
mailing list