[Code] OpenId on no HTML user-agents

valentino miazzo valentino.miazzo at blu-labs.com
Fri Feb 5 10:11:54 UTC 2010 

Hi,

Yang Zhao said the following on 05/02/2010 10.45:
>
> One of the most essential parts of a decentralized authentication
> protocol is the step where the user is made to interact, directly,
> with the trusted party; in this case, his or her OpenID provider.  You
> simply cannot have an authentication protocol of this nature without
> this, and, unfortunately, this is the one step that your environment
> cannot handle elegantly.
>   
Yes, not having an HTML browser, the user cannot see the HTTPS URL of
the OP and be sure that no one is stealing the credentials.
The user must trust the application stored in the BD disc.
Anyway, these discs are usually produced by huge companies like Sony,
Warner, etc..., it could happens, but it's unlikely that such giants
look for troubles by stealing users credentials.
At this point a user could also suspect of any OP.

> Standardizing HTML form structure is not a sound approach is not a
> sound approach either, as it assumes the user authenticates to the OP
> via a HTML form.  
I'm not suggesting to force all the OP to share common form structures.
I'm suggesting that OP willing to support 'limited devices' could *also*
offer such limited common form structures.

> I've not worked with OAuth yet, so this may not be possible at all,
> but one feasible implementation I can think of is to ask for a very
> long-lived OAuth access token that is then stored in the DB player,
> but only available when the user has unlocked it using a short
> password.  Ask the user to do an one-time association with the DB
> player using a browser (a la Bluetooth pairing) then each time this
> token is required, ask for the password that will unlock it.  The user
> retains the option to revoke the access key through what ever provided
> it in the first place.  However, this assumes the user has access to
> an OAuth provider that is willing to hand out such tokens.
>
>   
Looks very complex for a not tech-savvy.
BD disc like DVD are used by average people.
At that point we can eat the bullet and just ask the user to register an
account with us.

Thanks,
Valentino

More information about the Code mailing list