MultiAuth handler
SitG Admin
sysadmin at shadowsinthegarden.com
Sun Feb 7 09:08:10 UTC 2010
(For lack of a better subject line . . . )
The recent discussion of headers at URI->discovery at XRD->OP got me
thinking; if Yahoo can outsource its XRD document(s) to
yahooapis.com, why can't it, say, outsource its XRD's to
yahoo-google-apis.com? This isn't to say that ALL major IDP's (usage
here: URI hosting) should use a common central XRD host (SP?), nor
that Yahoo/Google should store all their XRD's there. Indeed, there
should be protection in case some phisher registers
"google-yahoo-apis.com".
Disclaimer: the following is not a proposal, and I am still not sure
if it is out of spec or merely me finally understanding something
that has been *in* spec (or planned for OpenID v.next) all along.
Envision an XRD containing 2 (or more^1) OP's for 2 (or more) URI's,
with digital signatures from each SP (URI hosts), further specifying
(within the signed data) that this OpenID is only to be used for
MultiAuth and that all signatures must be present/valid before
accepting document. The user can then assert their (digital) identity
as "someone with these accounts at Google *and* Yahoo".
SP's would also have to act as RP's, for this to work; until and
unless the user confirmed to SP->Yahoo that they were also the holder
of the paired account at SP->Google, the SP->Yahoo would refuse to
sign any other (new) XRD.
Google could still point to another XRD, one with its own signature
(and perhaps another's, besides Yahoo's), but this would not be the
same as the "This user is the owner of this URI at Google *and* that
URI at Yahoo.", and RP's would only need to keep track of the two
URI's, trusting that neither SP by itself would be able to generate
*all* the needed signatures to validate a new XRD listing both those
URI's as a MultiAuth pair with some compromised OP's.
This would add greatly to the understanding and work required of new
RP's to use OpenID, but it could be minimized by saying "If you
aren't going to implement (support for) this - ignore these, and
refuse to accept them."
-Shade
^1) Or potentially just one, even, but that would be weaker for its
single point of takeover.
More information about the specs
mailing list