[OpenID] OpenID support on Firefox 3

[Recordon, David]

We're very close to releasing the SeatBelt publically and certainly
would be happy to donate the code to Mozilla if they were interested in
it.  A lot of our motivation for building it was stemming from Mozilla
asking the OpenID community what should be done in Firefox 3.  We felt
that there is nothing better than building something to help answer a
question like that.  Currently AOL, JanRain, and XLogon have also added
support for the SeatBelt with more providers coming shortly. :)

--David

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Boris Erdmann
Sent: Tuesday, July 17, 2007 4:50 PM
To: John
Cc: general at openid.net
Subject: Re: [OpenID] OpenID support on Firefox 3

John,

the current official state of OpenID support for firefox is this:
http://wiki.mozilla.org/Firefox3/Product_Requirements_Document#P3_7

To my knowledge there are no real ideas of what it should look like
either.

In my mind there are two goals that native support should achieve:

* build confidence
* support usability

technically speaking this would mean for example

* provide counter measures for spoofing, phishing
* support for multiple identities, providers and roaming

Technically speaking, one could say that firefox already does a lot of
these things: By using password manager you have an instant indication
if you are being phished, and form completion provides some sort of
drop down identity selector. But these definitively fail the goals,
they are not for the average user (and cannot be used roamingly)

Unfortunately there is a problem: When it comes to phishing, OpenID is
underspecified with respect to the protocol flow. Thus, implementing
"confidence" is not trivial. One example:

OpenID makes no assumption on protocol flow continuity. So if you
visit an RP and enter your OpenID, it is perfectly valid if RP does
not redirect you to your provider. RP can choose to do so at a later
point in time. It is even perfectly valid that RP redirects you
somewhere completely else. One could argue if that is good behavior or
not. But how would a trusted browser component know, if that is
phishing or not?

As far as I can see, solid phish detection is not possible as of now.
Not without specifying some unspoken assumptions. Try implementing
one. It will break jyte for example: Sign up with jyte, and you will
be directed to botbouncer.com

Thus, OpenID needs a complementing specification or rule set for OPs,
so that browsers can get grip of the protocol flow.

The most advanced step into the direction of OP discovery or an OP
interface signature (can someone please come up with a better term for
this?!) to me seems the VeriSign SeatBelt "opconfig" specification.
Though by far not perfect this is what we are about to have for some
time. On the other hand it is neither open nor released, currently. So
this is nothing for mozilla to implement...

Boris


On 7/16/07, John <john at proionta.gr> wrote:
> What does the built-in OpenID functionality of Firefox 3 look like?
>
> I would expect a red button that allows you to log on to any site with
a
> single click (which would turn green then), together with a drop-down
> button (similar to that on the Back and Next buttons) that would allow
> me to log on to the site I'm looking at with a different OpenID
account
> than my default account or the account I used previously to log on to
> that site.
>
> Is the functionality anything like what I describe above? Is it
better?
> Worse?
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general