[OpenID] Trust + Security @ OpenID
John Panzer
jpanzeracm at johnpanzer.com
Thu Jul 19 17:13:23 UTC 2007
Dmitry Shechtman wrote:
> Hi list,
>
>
>
> I just had a really fertile talk with Eddy about “IdP reputation”,
> during which I came up with a couple of ideas which I found sound enough
> to be shared with the community:
>
>
>
> 1. If an RP is after strong IdP security, it should only trust IdPs
> that have SSL (so it would resolve all identifiers to https://)
Agreed.
But I have a dumb question before even getting past step 1 (sorry). I
think this is the right algorithm to use to tell if an OP supports SSL,
and if so, to use it:
(1) If a user gives a protocol-less identifier, say foo.example.org,
assume it's http://foo.example.org.
(2) Given http://foo.example.org, attempt an HTTP/1.1 connection and see
if you get upgraded to TLS.
(3) If no TLS, blindly remap to https://foo.example.org and attempt an
SSL connection.
(4) If both (2) and (3) fail, don't trust.
In particular, if you see a 302 redirect on step (2) to an https:// URL,
ignore it (susceptible to man-in-the-middle attack).
And the above applies both to an OpenID URL itself and any URLs that
resource delegates to via <link>.
Does this sound correct? I don't like the extra connection attempts and
if someone says that nobody upgrades to TLS over http in the real world
I'd be fine skipping it, or inverting (2) and (3) perhaps, since the OPs
I know would be fine jumping straight to (3).
-John
More information about the general
mailing list