[OpenID] checking of openid provider web sites

Tue Dec 16 13:24:43 UTC 2008

Its concept is evidently not a discovery-security countermeasure (addressing threats of spoofing). It's a useful syntax checker in concept, for the form of the URL used at a particular OP. Its evidently security related, but not evidently security critical in nature, as argued  below.

http-class openIDs are HTTP URLs, and thus have hierarchical form and semantics. These are defined by the original URI/URL standard to exploit the per-URI protocol namespace delegation model, founded on domain-name registration(s) in the case of HTTP/HTTPS URLs. Those domain names are assumed to be resolved through either global OR local bind resolvers, allowing for the autonomous systems management culture that characterizes the survivability properties of internet-class networks. Your tool checks that the form of the URI that comes after the domain-name, (defined as local, in the standard) can be standardized by OP, and your tool can confirm each OPs form is consistently used with respect to the OPs schema (by user configuration of the syntax rules).

Am I close?

> -----Original Message-----
> From: Steven Livingstone-Perez [mailto:weblivz at hotmail.com]
> Sent: Tuesday, December 16, 2008 5:02 AM
> To: chris.messina at gmail.com
> Cc: Peter Williams; general at openid.net
> Subject: RE: [OpenID] checking of openid provider web sites
>
> At the moment, yes it would (unless the delegated domains were added).
> Wonder what % use these as opposed to going via the main OP's.
>
> -----Original Message-----
> From: chris.messina at gmail.com [mailto:chris.messina at gmail.com]
> Sent: 16 December 2008 12:32
> To: Steven Livingstone-Perez
> Cc: Peter Williams; general at openid.net
> Subject: Re: [OpenID] checking of openid provider web sites
>
> Wouldn't this imply that self-hosted or delegated OpenIDs (say,
> Factoryjoe.com) would also fail?
>
> On 12/16/08, Steven Livingstone-Perez <weblivz at hotmail.com> wrote:
> > Hi Peter - yes, it's pretty simple. It compares the domain that has
> asked
> > the user to enter details to a static  domain part on the server.
> >
> >
> >
> > So for myopenid.com I assume all domains are in the format
> > http://username.myopenid.com (or http://myopenid.com/username).
> >
> >
> >
> > On the server is I store the parts of the domain that must be
> identified
> to
> > make this a valid domain. So I store ".myopenid.com" - the domain
> authority
> > for all requests must end with this part to make it a valid domain.
> So
> > "http://weblivz.myopenid.com.cn" would fail and so on.
> >
> >
> >
> > Right now it's really not intended to be anything other than a
> discussion
> -
> > I am adding sites through the week. No external management is needed
> - I
> may
> > confirm the possible formats of OpenID requests at an OP though.
> >
> >
> >
> > There is no real trust - all of these things could be added but it's
> not a
> > simple thing to say you "trust" someone and not someone else, so I
> simply
> > wanted to provide a way of saying that this is not the domain you
> expect
> it
> > to be.
> >
> >
> >
> > I put it together in a few hours so I could use it myself an figured
> some
> > others may find it useful. Things could be added of course if it
> proves
> > useful.
> >
> >
> >
> > Is there anything out these that does this already - additionally are
> there
> > are sites that do work in verifying OP's ?
> >
> >
> >
> > If some "central" authority could provide a "register your OP"
> function
> and
> > allowed services such as this WebCheck service to download this
> signed Xml
> > document to allow anyone to check details then that could be useful
> too.
> >
> >
> >
> > steven
> >
> > http://livz.org
> >
> >
> >
> > From: Peter Williams [mailto:pwilliams at rapattoni.com]
> > Sent: 16 December 2008 02:31
> > To: Steven Livingstone-Perez; general at openid.net
> > Subject: RE: [OpenID] checking of openid provider web sites
> >
> >
> >
> > Is there a description of the method it uses to determine correctness
> of
> the
> > OP?
> >
> >
> >
> > Is it intended to be foolproof, advisory, or a hint?
> >
> >
> >
> > Is its accuracy a function of any user management activities, per OP?
> >
> >
> >
> > Are there any trust assumptions?
> >
> >
> >
> > From: general-bounces at openid.net [mailto:general-bounces at openid.net]
> On
> > Behalf Of Steven Livingstone-Perez
> > Sent: Monday, December 15, 2008 4:21 PM
> > To: general at openid.net
> > Subject: [OpenID] checking of openid provider web sites
> >
> >
> >
> > Based on some of the rather more detailed solutions I've read about
> today,
> I
> > have hacked a rather simple idea for something I thought may be
> useful.
> >
> >
> >
> > It is basically a plug-in to the browsers (Bookmarklet just now for
> all
> and
> > a toolbar for FF and IE in the works) and it allows you to check
> whether
> the
> > OpenID provider you have been asked to enter your details into is
> indeed
> the
> > correct provider. It tells you if there is an issue with the
> provider.
> >
> >
> >
> > Currently I have added a check for OpenID.org, myOpenID.com and
> claimID.com
> > (for no reason other than it's getting late here). So just add the
> > bookmarklet (toolbars are in the works) and when you are asked to log
> into
> > one of these sites click the "WebCheck" button to perform a quick
> check.
> >
> >
> >
> > Details at:
> >
> > http://www.openid.org/apps/webcheck/default.aspx
> >
> >
> >
> > I have no idea whether this will be useful or a ton of issues will
> spring
> to
> > mind but figured if I throw it out I'll soon find out (and save
> energy if
> of
> > no use!).
> >
> >
> >
> > steven
> >
> > http://livz.org
> >
> >
>
>
> --
> Chris Messina
> Citizen-Participant &
>   Open Technology Advocate-at-Large
> factoryjoe.com # diso-project.org
> citizenagency.com # vidoop.com
> This email is:   [ ] bloggable    [X] ask first   [ ] private