Yet Another Delegation Thread

Boris Erdmann boris.erdmann at googlemail.com
Wed Oct 25 18:27:26 UTC 2006 

On 10/25/06, Dick Hardt <dick at sxip.com> wrote:
> On 25-Oct-06, at 8:57 AM, Drummond Reed wrote:
>
> > 2) Since the RP has to do discovery on the Claimed Identifier
> > anyway, if it
> > discovers a mapping between the Claimed Identifier and an IdP-Specific
> > Identifier, the RP can send the IdP-Specific Identifier to the IdP
> > and save
> > the IdP from having to repeat discovery.
>
> unfortunately that disco information could be modified in route, so
> the IdP can't trust it

Right: IdP will never be able to trust it, since the claimed ID could
be faked to a URL, which provides valid "looking" discovery.

But IdP is free to implement some "heuristics" to verify
validity: E.g. users could be presented a dialog like:

======================================
"RP X" ask for checking against
"yourclaimedID" which they think is associated with
"yourIDwithus" with us, "wonderIdP" that is.

Is the provided information correct?

[  ] register the triple (RP X, yourclaimedID, yourIDwithus)
     for automatic verifying in the future

[  ] register the tuple (yourclaimedID, yourIDwithus)
     for automatic verifying in the future (don't bother me mode)

[  ] don't collect this kind of data, I hate that.
     Trust any RP -- I know it's less secure, but I know what I do.

[ yes, go ahead ]  [ no, cancel ]
======================================

This way IdP can check back with the user and
learn to trust certain RPs.


I don't know if this kind of collecting data is desirable, though.
But it could possibly help detecting malicious RPs.


> > 3) Allowing the user to control Claimed
> > Identifier-to-IdP-Specific-Identifier mapping gives the user the
> > ability to
> > establish any number of OpenID "synonyms" that do not require any
> > involvement on the part of the IdP.

The DP (discovery provider -- no good term, i know)
could even offer a service like

RP 1     \                                            /  IdP1

RP n ------      claimedID URL   ---   IdP n

AnyOne  /                                           \ block discovery


In words: DP could "redirect" to IdP depending on who is requesting
discovery.

> I read this a couple times and don't understand what is different
> between it and (1) above ...
>
>> Hope this helps,
>
> It does, but also confirms my thinking that one identifier works fine.

At least, saving the claimedID with the discovery xrds or html doesn't
yield any relevant extra information or security. But it could hint at
some misconfiguration of your vhost (or something) if discovery at
claimedID resolves to "claimedIdAttribute: otherID"

-- Boris

More information about the specs mailing list