[OpenID] 2-Headed OpenID Auth for Increased Security?

[David Fuelling]

On Mon, Dec 1, 2008 at 7:20 AM, Paul Madsen <paulmadsen at rogers.com> wrote:

>  We toyed with this idea in Liberty for SAML but never did anything with it
> - partly because it would already work out of the box with SSO protocols as
> they are if the RP coordinates the multiple authentications.
>
> We did think of optimizations whereby you could eliminate some redirects by
> having  (in OpendID terminology) the first RP indicate to the first OP the
> second OP in the openid.return_to -  I'm not sure this would be legal in
> OpenID?
>
> A bit weird, as from the second OP's PoV, it would be getting an
> unsolicited response from the first OP and would have to interpret it as an
> implicit request for authentication ....
>
> Alternatively, the RP could indicate to the first OP that it wanted to
> chain requests to the second OP.
>
> Neither model would seem to mitigate the 'bad OP' risk.
>

Well, if OPs knew how to do some sort of "auth request chaining", then I
suppose the RP would need to verify each auth assertion anyway, so I don't
think a rogue OP1 could try and do anything sneaky (like replacing OP2 with
OP1), because the auth verification would fail back at the RP.  Unless I'm
missing something.

That said, it does seem much simpler to just have the RP do the multiple
redirects and authenticate to multiple OP's (like what David Recordan
suggested in the first response of this thread).  That way each OP auth can
be treated as a discrete authentication (allowing different PAPE responses
for each OP to be sent back to the RP).  Plus, OpenID auth wouldn't really
need to change to make this happen.

I guess the real issue is the integrity of the XRDS info.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081203/bb28d668/attachment-0002.htm>