XAuth critiques

Story Henry henry.story at bblfish.net
Tue Jun 8 19:55:04 UTC 2010


On 8 Jun 2010, at 21:45, SitG Admin wrote:

> Just passing through, between one relay and another:
> 
>> Thought experiment:  Would you be satisfied if xauth were baked into Chromium (hosted at <http://www.chromium.org>www.chromium.org)?  If so, would it be sufficient to CNAME <http://xauth.org>xauth.org to <http://www.chromium.org>www.chromium.org and serve up JS from there, signed with the Chromium.org private key?
> 
> Assume that ALL requests are protected with SSL, so that the contents of communications cannot be spied upon. An eavesdropper can STILL figure out when a user is logging in with OpenID (and, with attention to timing, WHICH sites they are logged in to!) by looking for requests to the IP address of the central server.

The interesting thing is that with http://esw.w3.org/Foaf+ssl there are only 
three machines needed, and this could be reduced to 2 (see the diagram on the wiki)

1. The machine hosting the client
2. The service one is logging into
3. The personal profile hosting service

At the limit one could place 1 and 3 on the same machine (your cell phone could host your profile) meaning that foaf+ssl need rely on no more machines than the client and the server. Ie: two parties want to talk: only two need to know about it.

> 
> What do we expect them to do in defense of this attack, route all their communications through random public proxies?

Even though foaf+ssl won't solve the most paranoid problems (out of the box) does this help?

Henry


> -Shade_______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs



More information about the specs mailing list