[OpenID] The complexity of OpenID, and imperfect RPs

Nat Sakimura sakimura at gmail.com
Wed Jul 30 22:36:03 UTC 2008 

+1
We are also starting to generate those test.
Conformance test and the assessment of RPs are badly needed.
My idea is to publish these conformance results and overall score through
yet to be specified "reputation service", so that users will have some kind
of indication on whether to trust the RP.

Perhaps we should join our efforts to accelerate this.

=nat

On Thu, Jul 31, 2008 at 6:52 AM, Shane B Weeden <sweeden at au1.ibm.com> wrote:

>
> As a developer of an implementation (which no doubt still needs work), I
> would really like to see and contribute to a bunch of published test cases
> which describe and expose common vulnerabilities and implementation issues.
> I loath to say conformance or interoperability testing as having been
> involved in both those activities before I know they typically end up with
> the "lowest common denominator that works". What I am talking about is test
> cases or at least a guide/FAQ which describes scenarios that expose common
> problems. The list you've described below is good input and definitely
> something I'll be working through. Having this information on a developer
> FAQ/wiki would be useful too.
>
> Regards,
> Shane.
>
>
>
>
>  *"Andrew Arnott" <andrewarnott at gmail.com>*
> Sent by: general-bounces at openid.net
>
> 31/07/2008 02:46 AM
>   To
> "OpenID List" <general at openid.net>  cc
>   Subject
> [OpenID] The complexity of OpenID, and imperfect RPs
>
>
>
>
> I have been shifting my identity to my own i-name, and adding several
> authentication SEPs so that regardless of which RP I sign into, a supported
> OP ought to be found in my list (if the RP were to use a whitelist for
> example).  In theory, it's really cool.  I can log in as =Arnott anywhere
> (that takes OpenID) and my CanonicalID is used so my identity is secure for
> my whole life.  Great... in theory.
>
> Here are some of the harsh realities I've encountered while trying to live
> in this ideal situation:
> 1.        The RP selects the wrong OP from the XRDS document (it supports
> any/all of the OPs, but chooses the first listed one rather than the one
> with the best priority rating).
> 2.        The RP attempts authentication against one of my OPs (whether
> it's my preferred one or not) and fails, whether it's a discovery failure,
> an assertion verification failure, or whatever.
> 3.        Although many RPs can authenticate me as =Arnott, the ones that
> can't I try *http://blog.nerdbank.net* <http://blog.nerdbank.net/>, which
> includes both an XRDS refererence and the standard OpenID LINK tags.  If
> this succeeds, now I've got to remember which sites I've logged into as
> =Arnott vs. *blog.nerdbank.net* <http://blog.nerdbank.net/>.  If this
> fails, then I can choose to either surrender my attempt at using my own
> personalized identifier and start trying my individual OP-assigned
> identifiers, or just give up and leave the RP.
> 4.        Upon successful authentication, the RP incorrectly stores my
> user-supplied identifier (=Arnott) instead of my claimed identifier
> (=!9B72.7DD1.50A9.5CCD).  Since I have no/little way of realizing this, I
> naively believe that my identity on this site is secure, but when I
> eventually surrender my =Arnott i-name for another one but keep my
> CanonicalID, the site doesn't recognize me as the same person, and worse,
> someone else assumes my identity.
> 5.        Many RPs choose to use their own home-spun minimal
> implementation of OpenID that is full of security holes (I've seen plenty).
>  As a logging in user, I have no way to know whether this is a decent
> implementation of OpenID that I'm logging into or not.  If I doubt it at
> all, then I must assume that anyone else can spoof my identity on this site
> by exploiting one of the many bugs common in these home spun
> implementations.
> Correctly processing an XRDS document in a fully XRDS spec-compliant way is
> no small task, and I'd wager that most or all of the OpenID libraries do not
> do it perfectly.  This means that any user trying to make the most of OpenID
> will likely be unable to log into some RP web sites, or perhaps may be able
> to but be unaware that the RP incorrectly interpreted the XRDS doc and
> stored something wrong about his identity.  *
>
> Suggestions*
> It seems to me that if an RP doesn't want to risk losing visitors due to
> their unexpected or perhaps buggy identifiers/OPs, an RP should probably
> have a list of known-compatible OPs on any authentication error page it
> might display.
> I have a suggestion for the other problem(s), but I'm still working out
> details.  I may propose it to this list soon.
>
> In the meantime, does anyone else have thoughts regarding how to help solve
> these problems?  Obviously, "implement the spec correctly" is the trivial
> answer.  I'm looking for ideas on how to *promote reuse of libraries*<http://blog.nerdbank.net/2008/04/argument-for-extra-dependency-of.html>rather than home-spun implementations, and how to assure users that the
> right things are happening behind the scenes at the RP so that he/she can
> trust the site._______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080731/b41a6aff/attachment-0002.htm>

More information about the general mailing list