[OpenID] About Facebook, MySpace and OpenID
John Bradley
john.bradley at wingaa.com
Fri Apr 3 18:12:33 UTC 2009
Believe me almost nothing is stranger than me defending MySpace.
However I think they have done a reasonable job with there OP.
They are compliant with openID 2.0, true some older RP libs may have
a problem if they are not compliant.
If a openID 2.0 RP can't do a authentication at the MySpace OP it is
broken!
The exception to that would be MS health Vault or other sites that by
policy don't allow non SSL connections or require PAPE multi factor
etc. Those are policy decisions by the RP, and are not the OPs
responsibility.
OpenID 2.0 authentications can be performed without associations,
Associations are a performance optimization not a security feature.
If I were MySpace I would have made a SSL OP URI available rather than
the http one.
That would have broken a larger but different set of RPs that don't
support SSL.
The choice from an OP point of view is, use SSL and exclude all non
SSL RPs or have a non SSL URI and prevent RPs that don't support DH
from associating, but they can still authenticate in dumb/stateless
mode.
You can have two endpoints and the RP gets to select the SSL version
if it supports SSL.
That seems like a good idea, but the RP's who have a discovery lib
that can recognize URI priority in the XRDS and fail over properly are
not the ones who have the problem. This is the technically correct
solution but probably breaks more RPs than it helps.
To have SSL be useful it needs to protect the meta-data discovery
step. If I can replace your XRDS/or HTML tags at the RP, I own you!
Securing the rest of the transaction with SSL is as useful as locking
your windows and leaving the front door open.
So if I am MySpace or any other large provider the cost of making all
of my user profile pages SSL could run into the millions of dollars.
I would probably think twice about it myself if I were them.
The choice MySpace made is reasonable.
No this is not hopeless. The XRI-TC which now includes representation
from Google, Yahoo and others is working on a trust model for signing
XRD/S documents. This will be part of the upcoming XRD 1.0 spec and
may find its way into an openID >= 2.1 near you at some point in the
future.
Yes MySpace could include Sreg or better yet AX. Given that to my
knowledge we have one OP that hands out an validated email address in
AX (that is still beta, and bends the AX spec), so I wouldn't say
MySpace is holding things up.
We have a way to ask for an email address as an optional claim in AX,
a RP needs a white list of OP's it trusts have verified it, or round
trip the email if the OP is not on the validated e-mail white list,
and they care.
What OPs need to do:
Vidoop: Nothing works now
MyOpenID: Get with the program and support the standard claim URI.,
otherwise it would work now.
Google: Stop ignoring AX requests that are not marked required. The
word doesn't revolve around you.
MySpace: Support AX please
AOL: Support openID 2.0 + AX
Yahoo: Support AX
OP's have had the specs and tools to do this for a long time now. It
is not like we need to invent something new.
Lets get what we have working well, please.
Regards
John Bradley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090403/26eef9a6/attachment-0002.bin>
More information about the general
mailing list