[OpenID] What does Sxipper do?

Ben Laurie benl at google.com
Tue Jan 23 18:19:17 UTC 2007

On 1/23/07, Bob Wyman <bob at wyman.us> wrote:
> On 1/23/07, Ben Laurie <benl at google.com> wrote:
> > Nothing happens? Or Sxipper thinks its a new OP?
>  My apologies if this is a dumb question, but why would it ever make sense
> for code like Sxipper to believe any RPs statements about the location of
> the OP? It seems to me that the real value of a "chrome" solution is that it
> has complete knowledge of who are valid OPs. A properly built chrome
> solution should never communicate with an alleged OP that it hadn't
> previously been configured to work with. Establishing a relationship between
> a client and an OP should, I think, require a relatively "heavy-weight"
> process which is distinct from all other web interactions and is never done
> as a side-effect of interaction with any site... Binding to an OP should be
> a "special" process.

Indeed, I agree that this is obvious, but in the absence of
documentation its very hard to know exactly how Sxipper addresses the
issue, and what is "special" about OP binding.

> In fact, with a little bit of intelligence in the client, it seems to me
> that the client wouldn't even ever have to let the RP know the precise URL
> that the client uses to talk to its OP. (i.e. The RP would send a redirect
> to the client, the client would look at the address and say: "thank you very
> much, but I'm going to this other secret address instead..." )  So, the RP
> might tell my client to go login at http://example.com/login, but what my
> client will really do is login at
> https://example.com/login/specialprivateplace/ or even
> https://someplacecompletelydifferent.com/  (Also, note that
> in that example, the RP says go to http:/... but the client actually goes to
> https:/...) If you've got intelligence in the client, all sorts of things
> are possible. You could even use various key based systems to identify the
> OP, encrypt things so that only the real OP can read them, etc.

Sure, but you still have to tell Sxipper _somehow_ where the OP is. I
suspect that will prove to be the weak link.

I also want to know what happens when I sit down at my brand new
laptop after using Sxipper for a while.

> BTW: OpenID provides a means for OP and RP to establish a secure
> association. Why doesn't it do the same for OP and Client?
> bob wyman

More information about the general mailing list