[dix] Re: Gathering requirements for in-browser OpenID support

Dick Hardt dick at sxip.com
Thu Oct 19 04:37:23 UTC 2006 

btw: this MITM attach MUST be clearly described in the security  
considerations of the spec ...

-- Dick

On 18-Oct-06, at 8:56 PM, Dick Hardt wrote:

> The MITM attack vector resolution is out of scope of OpenID
> Authentication as it is a ceremony between the user and the IdP. The
> user and IdP need to know they are talking directly to each other.
>
> -- Dick
>
> On 18-Oct-06, at 1:07 PM, Scott Kveton wrote:
>
>>> It is vulnerable to a man in the middle attack - the RP, instead of
>>> redirecting to the IdP redirects to itself or some other site in
>>> cahoots, then proxies the conversation between the user and the IdP
>>> thereby compromising the users (global) credentials as they pass
>>> through.
>>
>> Right, we've known about this for quite some time unfortunately
>> there hasn't
>> be a particularly easy solution to it and I classify this as one of
>> those
>> "The Internet Sucks" problems.  I'm not saying we shouldn't/
>> couldn't do
>> anything about it I just think the right solution that mixes
>> ease-of-implementation and user need hasn't been found yet.
>>
>>> There really needs to be user-agent support to avoid that - either
>>> something CardSpace like, or browser plugin that only ever  
>>> presents a
>>> pre-authenticated user.
>>
>> I think we're headed in this direction.  However, we have to crawl
>> before we
>> can walk.  At least solving a big chunk of the use cases, getting  
>> some
>> momentum behind the platform and solving a specific problem for users
>> *today* is better than trying to build the perfect tool.  We can
>> talk and
>> talk on these lists but we really don't know how users are going to
>> use this
>> stuff (or abuse it for that matter) until its out there and working
>> in the
>> wild.
>>
>> I can't emphasize more the fact that with every passing day that we
>> don't
>> have OpenID v2.0 out the door, we're losing momentum from fixing
>> specific
>> user problems that are solved in the existing specification.
>>
>> - Scott
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list