[OpenID] Question regarding the OpenID Information Cards 1.0

Johnny Bufu johnny at sxip.com
Wed Sep 5 17:50:11 UTC 2007 

On 4-Sep-07, at 7:07 PM, Peter Williams wrote:

> Something is still sticking in my gullet. One never automatically  
> does that which an untrusted party asks you to do. One never  
> follows a url whose form has not been subject to verification. One  
> doesn't follow 1000 redirects each causing you to send off ssl cert  
> chain signals about which root ca sites you trust when you follow  
> https Redirect+1,

In the normal flow, the user asks the RP to follow the URL; in the  
unsolicited auth response flow, it's the OP. From the trust  
perspective (which is not intended to be solved by OpenID), the OP is  
the user's agent, so I don't see a big difference.

As for following too many redirects or other similar scenarios that  
may not be entirely acceptable for the RP, they are no different than  
the normal flow and the RP can take the necessary measures to address  
them. OpenID libraries should be configurable for tuning such things.

> It just feels like the case that I'm sending you an unsolicited  
> html email, and learn you opened it without your control over  
> release of that fact, when your client auto follows the gif links.  
> If we look at modern email clients we don't do that anymore. The  
> sender has to be on a reliance list, before we allow that automatic  
> release of ip/location and time of opening info.

This is a stretch: there's no protocol for consuming (HTML) email  
contents and the user is likely not aware of the implications.

OpenID RPs have already committed to speaking the OpenID protocol.  
Whether they are processing solicited or unsolicited responses makes  
little (or no) difference from the trust perspective.

> But the case of openid+ cardspace sending in the auth resp ( for  
> validation ) is really no different to the rp receiving an  
> unsolicited auth response (without cardspace having been involved,  
> earlier).

Strictly from the OpenID point of view - yes, that's true. However,  
in the OpenID Infocard flow the RP has posted an Infocard OBJECT  
element on their login page, which is the equivalent of a request. So  
I can argue that the OpenID auth response is not entirely unsolicited  
(it's no more unsolicited than any infocard response).


Johnny

More information about the general mailing list