[dix] Re: Gathering requirements for in-browser OpenID support
Ben Laurie
benl at google.com
Thu Oct 26 15:27:37 UTC 2006
On 20/10/06, Mike Glover <mpg4 at janrain.com> wrote:
> On Fri, 20 Oct 2006 09:36:30 +0100
> "Ben Laurie" <benl at google.com> wrote:
>
> > On 19/10/06, Pete Rowley <prowley at redhat.com> wrote:
>
> > > Having the hooks that enable solutions to this outside the protocol is a
> > > MUST in my view. So, go Chris :)
> >
> > Why not enable it inside the protocol? It isn't hard to ensure that
> > anything an RP gets is unusable anywhere else. Indeed, surely this is
> > a basic requirement for any secure SSO solution?
> >
>
>
> Could you explain that some more? Specifically, how would you prevent a rogue RP from faking a redirect to the user's IdP (by proxying the request instead)? I can't see a way that the protocol itself can guard against this.
For example, if you were to use EKE for authentication (or any other
zero-knowledge protocol), the proxy would not end up authenticated.
>
> -mike
>
More information about the general
mailing list