Google Apps availability broadcasting

[Drummond Reed]

I just want to reinforce the point that there are serious privacy issues
(not to mention security issues) with an RP being able to discovery the OPs
a user uses (let alone the OPs the user is currently logged in with) without
the user opting in to grant permission to the RP to know that.

I know it's not very helpful to say, "This problem is much more easily
solved - without any of the attendant privacy risks - with an active
client", but based on my experience (folks like the Liberty Alliance tried
to solve this problem for three years to no avail), it may just be than an
active client is the place to focus time/attention. After IIW it appears
it's inevitable that its coming, and probably built directly into the
browser itself.

=Drummond

On Mon, Dec 14, 2009 at 9:52 AM, Dirk Balfanz <balfanz at google.com> wrote:

> Breno just forwarded this thread to me. Bizarrely, even though I'm
> subscribed to specs, I never get a single message from that list.
>
> Anyway - what we demonstrated at IIW was a simple "broadcasting" of who
> your OP is. The RP would just do a JSONP call to a central discovery service
> (which would carry the user's cookies for that service with it), and the
> discovery service would reply with a list of OPs. As Andrew points out there
> are privacy issues with this approach that make it infeasible - you would
> either have to tell the central discovery service about your OPs, our you
> don't. In the former case, the identity of the OPs would be revealed to any
> RP that asks. Which is not good enough.
>
> So our current thinking is to access-control this per-RP. The central
> discovery service would somehow know which RPs you're using (or at least
> which RPs you're willing to tell it about). Then, when one of those
> whitelisted RPs asks about your OPs (and only then), the discovery service
> will respond with the list of your OPs. I'd say it's still up in the air
> whether this can be made seamless enough so that average users can handle
> it. It would work for Google Apps (with Google playing the role of the
> central discovery service), but I'm not quite sure what it would look like
> in general.
>
> As for the can-my-mother-log-in scenario: I believe the percentage of users
> that are already logged into their OP when they visit an RP is way above 90%
> in the case where that OP is something like Google.
>
> Dirk.
>
> On Mon, Dec 14, 2009 at 8:59 AM, Breno de Medeiros <breno at google.com>wrote:
>
>> ---------- Forwarded message ----------
>> From: Andrew Arnott <andrewarnott at gmail.com>
>> Date: Mon, Dec 14, 2009 at 7:22 AM
>> Subject: Re: Google Apps availability broadcasting
>> To: Santosh Rajan <santrajan at gmail.com>
>> Cc: specs <specs at openid.net>
>>
>>
>> I'm a bit concerned about the privacy aspect, but I'm sure regardless
>> of the future spec that OPs will be smart about giving the user the
>> option to "advertise" their login status at an OP to an untrusted RP.
>> As I recall the way Google resolved the privacy concern is actually
>> giving each domain admin the option to advertise or not to RPs.
>> A standard addition to the protocol would be interesting, to be sure.
>> However, it doesn't make as much sense out of the context of Google
>> Apps, since that's the only host that represents very many OP
>> endpoints, which is what makes it interesting for the RP to poll with
>> the question "hey, which OPs is the user logged into?"
>> >From a UI standpoint, even if it were possible for the RP to
>> meaningfully ask the question (of someone) "what are all the OPs the
>> user is logged into?", I'm dubious about the value of an RP doing so.
>> It wouldn't pass the "my mom can login" test if she revisited an RP,
>> and couldn't login because her "Google" button was missing.  It
>> wouldn't occur to her that she has to go to Google herself and log in
>> there before she can log into the RP.  Some OPs do that today (like
>> Verisign), by refusing to log a user in as part of the OpenID flow,
>> but it's not very user-friendly -- and that's when Verisign appears at
>> the RP in the first place.
>> Just my 2 cents.
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the
>> death your right to say it." - S. G. Tallentyre
>>
>>
>> On Mon, Dec 14, 2009 at 7:09 AM, Santosh Rajan <santrajan at gmail.com>
>> wrote:
>> >
>> > I agree with Andrew, and I think every OP must do the same. Or maybe we
>> add that to the protocol.
>> >
>> > On Mon, Dec 14, 2009 at 8:17 PM, Andrew Arnott <andrewarnott at gmail.com>
>> wrote:
>> >>
>> >> Nope, that's not it either.  What I'm thinking of is an aid to pure
>> login UI -- nothing to do with OAuth.  And again, Google is supplying the
>> list of Google Apps domains the user is logged into -- not the RP asking for
>> each specific domain.
>> >> --
>> >> Andrew Arnott
>> >> "I [may] not agree with what you have to say, but I'll defend to the
>> death your right to say it." - S. G. Tallentyre
>> >>
>> >>
>> >> On Mon, Dec 14, 2009 at 6:32 AM, Chris Obdam <chris.obdam at holder.nl>
>> wrote:
>> >>>
>> >>> > The solution Dirk/Breno spoke of (as I recall) was a single URL that
>> would return all google apps for domains the user is logged into.
>> >>> Ok, clear.  Is this the one?
>> >>> > openid.ext2.scope - (required) List of URLs identifying the Google
>> service(s) to be accessed. See documentation for the services of interest to
>> get scopes must be space-delimited and properly escaped. This parameter is
>> not defined in the OAuth standards; it is a Google-specific parameter.
>> >>>
>> >>> Cheers,
>> >>>
>> >>> Chris Obdam
>> >>> Stichting OpenID NL (Dutch OpenID foundation)
>> >>>
>> >>> > --
>> >>> > Andrew Arnott
>> >>> > "I [may] not agree with what you have to say, but I'll defend to the
>> death your right to say it." - S. G. Tallentyre
>> >>> >
>> >>> >
>> >>> > On Mon, Dec 14, 2009 at 6:14 AM, Chris Obdam <chris.obdam at holder.nl>
>> wrote:
>> >>> > Andrew,
>> >>> >
>> >>> > That sounds a lot like de openid.ui.x-has-session variable David
>> mentioned earlier today?
>> >>> >
>> >>> > More info on
>> http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.htmland
>> >>> > http://code.google.com/intl/nl-NL/apis/accounts/docs/OpenID.html
>> >>> >
>> >>> > Cheers,
>> >>> >
>> >>> > Chris Obdam
>> >>> > Stichting OpenID NL (Dutch OpenID foundation)
>> >>> >
>> >>> > Op 14 dec 2009, om 14:54 heeft Andrew Arnott het volgende
>> geschreven:
>> >>> >
>> >>> > > At IIW, Google mentioned that they are trying out a way for Google
>> Apps domains to advertise to RPs that the user is logged into them so that
>> RPs can show a "log into puffypoodles.com" option.  Where can we find
>> documentation on how that works?
>> >>> > >
>> >>> > > Thanks.
>> >>> > > --
>> >>> > > Andrew Arnott
>> >>> > > "I [may] not agree with what you have to say, but I'll defend to
>> the death your right to say it." - S. G. Tallentyre
>> >>> > > _______________________________________________
>> >>> > > specs mailing list
>> >>> > > specs at lists.openid.net
>> >>> > > http://lists.openid.net/mailman/listinfo/openid-specs
>> >>> >
>> >>> >
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> specs mailing list
>> >> specs at lists.openid.net
>> >> http://lists.openid.net/mailman/listinfo/openid-specs
>> >>
>> >
>> >
>> >
>> > --
>> > http://hi.im/santosh
>> >
>> >
>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091214/fed097b8/attachment.htm>