[OpenID] 2-Headed OpenID Auth for Increased Security?
David Fuelling
sappenin at gmail.com
Thu Dec 4 06:25:01 UTC 2008
On Mon, Dec 1, 2008 at 10:16 AM, SitG Admin <sysadmin at shadowsinthegarden.com
> wrote:
>
> On the face of it all, this approach would seem to require two different
>> OpenIDs (one for each OP). However, using Yadis/XRDS, one could specify a
>> primary and secondary OP for a particular OpenID.
>>
>
> I considered this. However, your risk is now that the host for your URI
> will turn on you or otherwise become compromised (someone breaks into the
> server hosting your site).
Great point, though the alternative below has problems, too -- see below.
>
> I suppose there are several ways to make this happen, but I'd appreciate
>> any feedback on this idea...
>>
>
> Why limit it to just *two* heads? One goes down, or is taken down, or the
> route to either is blocked . . . and your security system either prevents
> login, or "gracefully" fails by allowing the user to log in with only one OP
> anyway (when the user *could* have been just *pretending* to be unable to
> contact the second OP from where they were). Give it three, or more - and
> allow the user to specify, on login, *which* OP's they want to use. You can
> even use something similar to the XRI syntax for this, thus gradually
> bringing it into the mainstream by familiarizing users with it;
> http://openid.net/pipermail/general/2008-November/006339.html
> Something like "me.yahoo.com!me.google.com#blind=yes", in a nod to the old
> bang pathing :)
>
> -Shade
This is a good idea in principle, but has the problem of letting a rougue OP
(instead of a signed discovery document that ideally only I control) become
the authority for my OpenID, without my knowledge.
This is a subtle point, but very important. "Who" the OP is for a
particular URL should be found via Discovery of some sort so that I can
maintain control over that decision. Allowing the choice to happen at
registration time (e.g.) allows an OP to manipulate this mapping without my
knowledge.
As an example (admittedly weak) I sign up for a bank account at my bank, and
the online account portion occurs a few days later. My rogue OP somehow
know this, and tries to register before I do (without my knowledge) and gets
to specify two OP endpoints that it controls (assuming the bank RP allows
the registering user to supply the OP data, instead of honoring the info in
Yadis/XRD).
I know it's a weak example, but hopefully you get the point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081203/5fb90477/attachment-0002.htm>
More information about the general
mailing list