[OpenID] The complexity of OpenID, and imperfect RPs

Shane B Weeden sweeden at au1.ibm.com
Wed Jul 30 21:52:40 UTC 2008 

As a developer of an implementation (which no doubt still needs work), I 
would really like to see and contribute to a bunch of published test cases 
which describe and expose common vulnerabilities and implementation 
issues. I loath to say conformance or interoperability testing as having 
been involved in both those activities before I know they typically end up 
with the "lowest common denominator that works". What I am talking about 
is test cases or at least a guide/FAQ which describes scenarios that 
expose common problems. The list you've described below is good input and 
definitely something I'll be working through. Having this information on a 
developer FAQ/wiki would be useful too. 

Regards,
Shane.





"Andrew Arnott" <andrewarnott at gmail.com> 
Sent by: general-bounces at openid.net
31/07/2008 02:46 AM

To
"OpenID List" <general at openid.net>
cc

Subject
[OpenID] The complexity of OpenID, and imperfect RPs






I have been shifting my identity to my own i-name, and adding several 
authentication SEPs so that regardless of which RP I sign into, a 
supported OP ought to be found in my list (if the RP were to use a 
whitelist for example).  In theory, it's really cool.  I can log in as 
=Arnott anywhere (that takes OpenID) and my CanonicalID is used so my 
identity is secure for my whole life.  Great... in theory.

Here are some of the harsh realities I've encountered while trying to live 
in this ideal situation:
1.      The RP selects the wrong OP from the XRDS document (it supports 
any/all of the OPs, but chooses the first listed one rather than the one 
with the best priority rating).
2.      The RP attempts authentication against one of my OPs (whether it's 
my preferred one or not) and fails, whether it's a discovery failure, an 
assertion verification failure, or whatever.
3.      Although many RPs can authenticate me as =Arnott, the ones that 
can't I try http://blog.nerdbank.net, which includes both an XRDS 
refererence and the standard OpenID LINK tags.  If this succeeds, now I've 
got to remember which sites I've logged into as =Arnott vs. 
blog.nerdbank.net.  If this fails, then I can choose to either surrender 
my attempt at using my own personalized identifier and start trying my 
individual OP-assigned identifiers, or just give up and leave the RP.
4.      Upon successful authentication, the RP incorrectly stores my 
user-supplied identifier (=Arnott) instead of my claimed identifier 
(=!9B72.7DD1.50A9.5CCD).  Since I have no/little way of realizing this, I 
naively believe that my identity on this site is secure, but when I 
eventually surrender my =Arnott i-name for another one but keep my 
CanonicalID, the site doesn't recognize me as the same person, and worse, 
someone else assumes my identity.
5.      Many RPs choose to use their own home-spun minimal implementation 
of OpenID that is full of security holes (I've seen plenty).  As a logging 
in user, I have no way to know whether this is a decent implementation of 
OpenID that I'm logging into or not.  If I doubt it at all, then I must 
assume that anyone else can spoof my identity on this site by exploiting 
one of the many bugs common in these home spun implementations.
Correctly processing an XRDS document in a fully XRDS spec-compliant way 
is no small task, and I'd wager that most or all of the OpenID libraries 
do not do it perfectly.  This means that any user trying to make the most 
of OpenID will likely be unable to log into some RP web sites, or perhaps 
may be able to but be unaware that the RP incorrectly interpreted the XRDS 
doc and stored something wrong about his identity.  

Suggestions
It seems to me that if an RP doesn't want to risk losing visitors due to 
their unexpected or perhaps buggy identifiers/OPs, an RP should probably 
have a list of known-compatible OPs on any authentication error page it 
might display.
I have a suggestion for the other problem(s), but I'm still working out 
details.  I may propose it to this list soon.

In the meantime, does anyone else have thoughts regarding how to help 
solve these problems?  Obviously, "implement the spec correctly" is the 
trivial answer.  I'm looking for ideas on how to promote reuse of 
libraries rather than home-spun implementations, and how to assure users 
that the right things are happening behind the scenes at the RP so that 
he/she can trust the site._______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080731/52649c2f/attachment-0002.htm>

More information about the general mailing list