[OpenID] checking of openid provider web sites

Tue Dec 16 10:12:07 UTC 2008

Hi Peter - yes, it's pretty simple. It compares the domain that has asked
the user to enter details to a static  domain part on the server.

So for myopenid.com I assume all domains are in the format
http://username.myopenid.com (or http://myopenid.com/username).

On the server is I store the parts of the domain that must be identified to
make this a valid domain. So I store ".myopenid.com" - the domain authority
for all requests must end with this part to make it a valid domain. So
"http://weblivz.myopenid.com.cn" would fail and so on.

Right now it's really not intended to be anything other than a discussion -
I am adding sites through the week. No external management is needed - I may
confirm the possible formats of OpenID requests at an OP though.

There is no real trust - all of these things could be added but it's not a
simple thing to say you "trust" someone and not someone else, so I simply
wanted to provide a way of saying that this is not the domain you expect it
to be.

I put it together in a few hours so I could use it myself an figured some
others may find it useful. Things could be added of course if it proves
useful.

Is there anything out these that does this already - additionally are there
are sites that do work in verifying OP's ?

If some "central" authority could provide a "register your OP" function and
allowed services such as this WebCheck service to download this signed Xml
document to allow anyone to check details then that could be useful too.

steven

http://livz.org

From: Peter Williams [mailto:pwilliams at rapattoni.com] 
Sent: 16 December 2008 02:31
To: Steven Livingstone-Perez; general at openid.net
Subject: RE: [OpenID] checking of openid provider web sites

Is there a description of the method it uses to determine correctness of the
OP?

Is it intended to be foolproof, advisory, or a hint?  

Is its accuracy a function of any user management activities, per OP?

Are there any trust assumptions?

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Steven Livingstone-Perez
Sent: Monday, December 15, 2008 4:21 PM
To: general at openid.net
Subject: [OpenID] checking of openid provider web sites

Based on some of the rather more detailed solutions I've read about today, I
have hacked a rather simple idea for something I thought may be useful.

It is basically a plug-in to the browsers (Bookmarklet just now for all and
a toolbar for FF and IE in the works) and it allows you to check whether the
OpenID provider you have been asked to enter your details into is indeed the
correct provider. It tells you if there is an issue with the provider.

Currently I have added a check for OpenID.org, myOpenID.com and claimID.com
(for no reason other than it's getting late here). So just add the
bookmarklet (toolbars are in the works) and when you are asked to log into
one of these sites click the "WebCheck" button to perform a quick check.

Details at:

http://www.openid.org/apps/webcheck/default.aspx

I have no idea whether this will be useful or a ton of issues will spring to
mind but figured if I throw it out I'll soon find out (and save energy if of
no use!).

steven

http://livz.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081216/ebd1bbc7/attachment-0002.htm>