[OpenID] The complexity of OpenID, and imperfect RPs

Andrew Arnott andrewarnott at gmail.com
Wed Jul 30 16:46:10 UTC 2008 

I have been shifting my identity to my own i-name, and adding several
authentication SEPs so that regardless of which RP I sign into, a supported
OP ought to be found in my list (if the RP were to use a whitelist for
example).  In theory, it's really cool.  I can log in as =Arnott anywhere
(that takes OpenID) and my CanonicalID is used so my identity is secure for
my whole life.  Great... in theory.

Here are some of the harsh realities I've encountered while trying to live
in this ideal situation:

   1. The RP selects the wrong OP from the XRDS document (it supports
   any/all of the OPs, but chooses the first listed one rather than the one
   with the best priority rating).
   2. The RP attempts authentication against one of my OPs (whether it's my
   preferred one or not) and fails, whether it's a discovery failure, an
   assertion verification failure, or whatever.
   3. Although many RPs can authenticate me as =Arnott, the ones that can't
   I try http://blog.nerdbank.net, which includes both an XRDS refererence
   and the standard OpenID LINK tags.  If this succeeds, now I've got to
   remember which sites I've logged into as =Arnott vs. blog.nerdbank.net.
   If this fails, then I can choose to either surrender my attempt at using my
   own personalized identifier and start trying my individual OP-assigned
   identifiers, or just give up and leave the RP.
   4. Upon successful authentication, the RP incorrectly stores my
   user-supplied identifier (=Arnott) instead of my claimed identifier
   (=!9B72.7DD1.50A9.5CCD).  Since I have no/little way of realizing this, I
   naively believe that my identity on this site is secure, but when I
   eventually surrender my =Arnott i-name for another one but keep my
   CanonicalID, the site doesn't recognize me as the same person, and worse,
   someone else assumes my identity.
   5. Many RPs choose to use their own home-spun minimal implementation of
   OpenID that is full of security holes (I've seen plenty).  As a logging in
   user, I have no way to know whether this is a decent implementation of
   OpenID that I'm logging into or not.  If I doubt it at all, then I must
   assume that anyone else can spoof my identity on this site by exploiting one
   of the many bugs common in these home spun implementations.

Correctly processing an XRDS document in a fully XRDS spec-compliant way is
no small task, and I'd wager that most or all of the OpenID libraries do not
do it perfectly.  This means that any user trying to make the most of OpenID
will likely be unable to log into some RP web sites, or perhaps may be able
to but be unaware that the RP incorrectly interpreted the XRDS doc and
stored something wrong about his identity.
*
Suggestions*
It seems to me that if an RP doesn't want to risk losing visitors due to
their unexpected or perhaps buggy identifiers/OPs, an RP should probably
have a list of known-compatible OPs on any authentication error page it
might display.
I have a suggestion for the other problem(s), but I'm still working out
details.  I may propose it to this list soon.

In the meantime, does anyone else have thoughts regarding how to help solve
these problems?  Obviously, "implement the spec correctly" is the trivial
answer.  I'm looking for ideas on how to promote reuse of
libraries<http://blog.nerdbank.net/2008/04/argument-for-extra-dependency-of.html>rather
than home-spun implementations, and how to assure users that the
right things are happening behind the scenes at the RP so that he/she can
trust the site.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080730/0d79a52d/attachment-0002.htm>

More information about the general mailing list