[dix] Re: Gathering requirements for in-browser OpenID support
Pete Rowley
prowley at redhat.com
Fri Oct 20 19:04:37 UTC 2006
Ben Laurie wrote:
> On 19/10/06, Pete Rowley <prowley at redhat.com> wrote:
>> Having the hooks that enable solutions to this outside the protocol is a
>> MUST in my view. So, go Chris :)
>
> Why not enable it inside the protocol? It isn't hard to ensure that
> anything an RP gets is unusable anywhere else. Indeed, surely this is
> a basic requirement for any secure SSO solution?
Despite the spec being called OpenID Authentication, authentication is
actually out of scope i.e. the actual methods of authentication aren't
specified. The spec really defines a method of third party assertion of
an identifier being linked to a session through an implicit trust
relationship. That's really the context of my "outside the protocol"
qualifier.
I believe it is possible to implement OpenID securely to avoid MITM as
it stands today, but it is up to the IdP to enforce that and I haven't
seen an example in the wild, which is a bit of a concern. Adding hooks
outside that allow client side methods of securing the transaction
independent of the IdP/RP is better than no hooks :)
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061020/9d8eb025/attachment-0002.bin>
More information about the general
mailing list