[dix] Re: Gathering requirements for in-browser OpenID support
Pete Rowley
prowley at redhat.com
Wed Oct 18 18:49:00 UTC 2006
Mike Glover wrote:
> Pete-
>
> Why do you have to trust the RP at all? All the RP ever sees is an assertion that you control the identity URL that you provided.
That is what the RP sees if they play along with the scheme.
> Do you see a vulnerability that I'm missing?
>
>
It is vulnerable to a man in the middle attack - the RP, instead of
redirecting to the IdP redirects to itself or some other site in
cahoots, then proxies the conversation between the user and the IdP
thereby compromising the users (global) credentials as they pass through.
There really needs to be user-agent support to avoid that - either
something CardSpace like, or browser plugin that only ever presents a
pre-authenticated user.
> -mike
>
> On Wed, 18 Oct 2006 10:49:54 -0700
> Pete Rowley <prowley at redhat.com> wrote:
> I also think it _is_ a requirement that the
>
>> browser vendors support this - right now you have to trust that the RP
>> is a white hat.
>>
>>
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061018/e030cfba/attachment-0002.bin>
More information about the general
mailing list