Identity Manager (was: Proposition: possible anti-phishing solution)
Boris Erdmann
boris.erdmann at googlemail.com
Sun May 13 20:17:41 UTC 2007
Dmitry,
I looked at Identity Manager proposal. In fact it was the starting
point for my efforts :-)
Another inspiration was the appalachian approach
http://simile.mit.edu/wiki/Appalachian.
A)
The main problem with tracking the OpenID protocol from the consumer site on is
that it hat complexities, that (I'm very confident) will make such an
implementation
easy to break.
Your proposal deliberately skips two of 3 cases, of which one is a
perfectly valid
response in the protocol flow (read my browser considerations on the sec list):
a) It seems perfectly valid for a consumer to request a users OpenID
and only after
days and revisiting the site several times redirect them to an OP.
b) An html page (HTTP 200 OK) that produces a POST to the OP seems to be
valid in case of OpenID 2.0.
In order to track the protocol at the consumer we would need stricter
constraints
on the flow. I don't know if that is desirable.
B) As I started to think about phishing in general and what would be needed to
prevent it, I found that OpenID is not part of the problem but part of
the solution:
You can't fake an OP, if there was an identity system for OPs. But OpenID
already delivers exactly that. OpenID discovery delivers the list of OPs
authorized for a certain OpenID identifier.
A browser can easily prevent sending credentials to a server that
isn't authorized
for an OpenID.
So phishers would be forced to fake identities. But more on that, if we get back
to my original thread.
All we need to do is make OPs claim that they are an OP (Which is
technically easy,
and would be accepted soon for competitive reasons)
C) I don't like the Idea of tying phishing protection to sth. like an
Identity Manager
too much. One of the things that I find most fascinating about OpenID
is the fact that I don't need my browser with me to make it work all
over the planet.
If we tie the security of OpenID to the convenience of a manager and
thus to my home
machine or my notebook or even a certain user profile on a specific
machine it would
lose a lot compared to e.g. cardspace. (IMO)
-- Boris
More information about the specs
mailing list