[dix] Re: Gathering requirements for in-browser OpenID support

[Dick Hardt]

The MITM attack vector resolution is out of scope of OpenID  
Authentication as it is a ceremony between the user and the IdP. The  
user and IdP need to know they are talking directly to each other.

-- Dick

On 18-Oct-06, at 1:07 PM, Scott Kveton wrote:

>> It is vulnerable to a man in the middle attack - the RP, instead of
>> redirecting to the IdP redirects to itself or some other site in
>> cahoots, then proxies the conversation between the user and the IdP
>> thereby compromising the users (global) credentials as they pass  
>> through.
>
> Right, we've known about this for quite some time unfortunately  
> there hasn't
> be a particularly easy solution to it and I classify this as one of  
> those
> "The Internet Sucks" problems.  I'm not saying we shouldn't/ 
> couldn't do
> anything about it I just think the right solution that mixes
> ease-of-implementation and user need hasn't been found yet.
>
>> There really needs to be user-agent support to avoid that - either
>> something CardSpace like, or browser plugin that only ever presents a
>> pre-authenticated user.
>
> I think we're headed in this direction.  However, we have to crawl  
> before we
> can walk.  At least solving a big chunk of the use cases, getting some
> momentum behind the platform and solving a specific problem for users
> *today* is better than trying to build the perfect tool.  We can  
> talk and
> talk on these lists but we really don't know how users are going to  
> use this
> stuff (or abuse it for that matter) until its out there and working  
> in the
> wild.
>
> I can't emphasize more the fact that with every passing day that we  
> don't
> have OpenID v2.0 out the door, we're losing momentum from fixing  
> specific
> user problems that are solved in the existing specification.
>
> - Scott
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>