[dix] Re: Gathering requirements for in-browser OpenID support

[Scott Kveton]

> It is vulnerable to a man in the middle attack - the RP, instead of
> redirecting to the IdP redirects to itself or some other site in
> cahoots, then proxies the conversation between the user and the IdP
> thereby compromising the users (global) credentials as they pass through.

Right, we've known about this for quite some time unfortunately there hasn't
be a particularly easy solution to it and I classify this as one of those
"The Internet Sucks" problems.  I'm not saying we shouldn't/couldn't do
anything about it I just think the right solution that mixes
ease-of-implementation and user need hasn't been found yet.
 
> There really needs to be user-agent support to avoid that - either
> something CardSpace like, or browser plugin that only ever presents a
> pre-authenticated user.

I think we're headed in this direction.  However, we have to crawl before we
can walk.  At least solving a big chunk of the use cases, getting some
momentum behind the platform and solving a specific problem for users
*today* is better than trying to build the perfect tool.  We can talk and
talk on these lists but we really don't know how users are going to use this
stuff (or abuse it for that matter) until its out there and working in the
wild.

I can't emphasize more the fact that with every passing day that we don't
have OpenID v2.0 out the door, we're losing momentum from fixing specific
user problems that are solved in the existing specification.

- Scott