[dix] Re: Gathering requirements for in-browser OpenID support
Paul Trevithick
paul at socialphysics.org
Wed Oct 18 22:42:52 UTC 2006
Pete wrote:
> Troy Benjegerdes wrote:
> > On Mon, Oct 16, 2006 at 12:31:48PM -0700, Scott Kveton wrote:
> >
> >> Hey Rob,
> >>
> >>
> >>> I'm trying to gather requirements for OpenID support. I think I have a
> >>> reasonable understanding of the draft, but part of the appeal of
> OpenID
> >>> is that it doesn't necessarily require browser vendors to do anything
> :)
> >>>
> >>> I've seen the proposed 2617-style HTTP authentication scheme on the
> >>> wiki. What else could browser vendors do to make OpenID a smoother
> >>> experience for users?
> >>>
> >> As I posted on the Mozilla wiki:
> >>
> >> http://wiki.mozilla.org/Firefox/Feature_Brainstorming#Identity
> >>
> >> I'd love to see some anti-phishing mojo baked into the browser. If the
> user
> >> could set their trusted IdP (or multiple as the case may be) in the
> browser
> >> and then have the browser do something obvious when the users is
> presented
> >> with an "untrusted" page asking for their password that would be great
> IMHO.
> >>
> >
> > I think there needs to be more overlap between the people on the OpenID
> > list and people on the IETF DIX list... Both of these groups of people
> > seem to have similiar ideas, and different approaches. A real solution
> > to this distributed identity problem is going to involve both groups.
> >
> >
> If there is going to be a "mojo" in the browser then I think it ought to
> just take care of the authentication itself i.e. the site never gets an
> opportunity to be MITM because users appear to them to always be
> previously authenticated. I also think it _is_ a requirement that the
> browser vendors support this - right now you have to trust that the RP
> is a white hat.
FWIW, the Higgins project is working on a browser extension (initially for
Firefox and later for IE and Safari) that will rely on a web-based "i-card
selector" UI. We say "i-card selector" instead of "identity selector"
because the long term goal is that an i-card can be a CardSpace i-card or an
OpenID i-card. The exact meaning and the required extensions to the OpenID
flow are still being worked out. But as Pete says the risk of MITM is
somewhat reduced. It is all very rough and preliminary, but that's the plan.
More information about the general
mailing list