[OpenID] OpenID support on Firefox 3

Tue Jul 17 07:49:49 UTC 2007

John,

the current official state of OpenID support for firefox is this:
http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#P3_7

To my knowledge there are no real ideas of what it should look like either.

In my mind there are two goals that native support should achieve:

* build confidence
* support usability

technically speaking this would mean for example

* provide counter measures for spoofing, phishing
* support for multiple identities, providers and roaming

Technically speaking, one could say that firefox already does a lot of
these things: By using password manager you have an instant indication
if you are being phished, and form completion provides some sort of
drop down identity selector. But these definitively fail the goals,
they are not for the average user (and cannot be used roamingly)

Unfortunately there is a problem: When it comes to phishing, OpenID is
underspecified with respect to the protocol flow. Thus, implementing
"confidence" is not trivial. One example:

OpenID makes no assumption on protocol flow continuity. So if you
visit an RP and enter your OpenID, it is perfectly valid if RP does
not redirect you to your provider. RP can choose to do so at a later
point in time. It is even perfectly valid that RP redirects you
somewhere completely else. One could argue if that is good behavior or
not. But how would a trusted browser component know, if that is
phishing or not?

As far as I can see, solid phish detection is not possible as of now.
Not without specifying some unspoken assumptions. Try implementing
one. It will break jyte for example: Sign up with jyte, and you will
be directed to botbouncer.com

Thus, OpenID needs a complementing specification or rule set for OPs,
so that browsers can get grip of the protocol flow.

The most advanced step into the direction of OP discovery or an OP
interface signature (can someone please come up with a better term for
this?!) to me seems the VeriSign SeatBelt "opconfig" specification.
Though by far not perfect this is what we are about to have for some
time. On the other hand it is neither open nor released, currently. So
this is nothing for mozilla to implement...

Boris

On 7/16/07, John <john at proionta.gr> wrote:
> What does the built-in OpenID functionality of Firefox 3 look like?
>
> I would expect a red button that allows you to log on to any site with a
> single click (which would turn green then), together with a drop-down
> button (similar to that on the Back and Next buttons) that would allow
> me to log on to the site I'm looking at with a different OpenID account
> than my default account or the account I used previously to log on to
> that site.
>
> Is the functionality anything like what I describe above? Is it better?
> Worse?