[Code] OpenId on no HTML user-agents

[Yang Zhao]

On 17 February 2010 09:55, valentino miazzo
<valentino.miazzo at blu-labs.com> wrote:
> For Russel:
> <<What you seem to have missed is that the trust model of OpenID is
> *explicitly* built upon the assumption that the end user *never*
> provides their credentials to the relying party (your set top box, in
> this case).>>
> Now I can understand why the "OpenID ecosystem" can be reluctant to
> support this use case.
>...
> Anyway, thank you Russel for the "philosophical" POV.

This is *not* simply a philosophical POV. This is a requirement in any
authentication system where the party that verifies an identity is
distinct from the party which wants that verification.  There are
formal, mathematical theories of security and trust relationships, and
this is a key assumption; protocols such as Kerberos and CAS have the
exact save base trust assumptions.

Allowing the relying party to relay credential information means this
base assumption is violated, and the security of the entire message
exchange is forfeit.  It may well be the case that the application
interacting with the ID provider and the relying party are one and the
same, but this is not something the protocol can account for nor care
about.  The implicit assumption that the user trusts the tools being
used to perform this exchange is outside the scope of a protocol.
What's important is that, within the context of the 3 logical entities
involved, neither the user nor the provider trusts the consumer with
"sensitive information".

-- 
Yang Zhao
http://yangman.ca