[OpenID] What does Sxipper do?
dick at sxip.com
Tue Jan 23 18:09:36 UTC 2007
On 23-Jan-07, at 8:58 AM, Bob Wyman wrote:
> On 1/23/07, Ben Laurie <benl at google.com> wrote:
> > Nothing happens? Or Sxipper thinks its a new OP?
> My apologies if this is a dumb question, but why would it ever make
> sense for code like Sxipper to believe any RPs statements about the
> location of the OP? It seems to me that the real value of a
> "chrome" solution is that it has complete knowledge of who are
> valid OPs. A properly built chrome solution should never
> communicate with an alleged OP that it hadn't previously been
> configured to work with. Establishing a relationship between a
> client and an OP should, I think, require a relatively "heavy-
> weight" process which is distinct from all other web interactions
> and is never done as a side-effect of interaction with any site...
> Binding to an OP should be a "special" process.
> In fact, with a little bit of intelligence in the client, it seems
> to me that the client wouldn't even ever have to let the RP know
> the precise URL that the client uses to talk to its OP. (i.e. The
> RP would send a redirect to the client, the client would look at
> the address and say: "thank you very much, but I'm going to this
> other secret address instead..." ) So, the RP might tell my client
> to go login athttp://example.com/login, but what my client will
> really do is login at https://example.com/login/
> specialprivateplace/ or evenhttps://
> someplacecompletelydifferent.com/ (Also, note that in that
> example, the RP says go to http:/... but the client actually goes
> to https:/...) If you've got intelligence in the client, all sorts
> of things are possible. You could even use various key based
> systems to identify the OP, encrypt things so that only the real OP
> can read them, etc.
Sxipper works this way.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the general