[OpenID] Tailoring headers to Consumers
Manger, James H
James.H.Manger at team.telstra.com
Mon Jun 2 00:42:50 UTC 2008
Shade,
Nice idea.
There are quite a few useful things that can be done during discovery...
if the web site serving your OpenID (HTML and/or XRDS doc) knows which RP a discovery request is purportedly coming from.
I think RPs should identify themselves during discovery to enable these use cases.
An RP could include a "From:" HTTP header field during discovery.
That is better than relying on User-Agent values or IP addresses.
I proposed this last October.
http://openid.net/pipermail/specs/2007-October/002007.html
There have been a few extra use cases since then from other people so perhaps it is worth pushing this simple idea again.
Use cases:
1. Use different OPs for different RPs,
without needing multiple OpenIDs or special support at an OP.
2. Redirect RPs to HTTPS, but not all other visitors to your site.
[Jan 2008, Trevor Johns,
http://openid.net/pipermail/general/2008-January/003891.html]
3. Limiting damage if an OP is compromised etc
[Shade / SitG Admin]
PAPE is a partial alternative (different RPs can ask for different auth strengths).
Changing opened.identity at the OP (like when using an OP identity) is another partial alternative.
Those alternatives have different dependencies (on the RPs and OPs) so are not always suitable. They certainly are not always the easiest solution.
James Manger
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of SitG Admin
Sent: Saturday, 31 May 2008 1:53 PM
To: general at openid.net
Subject: [OpenID] Tailoring headers to Consumers
Something that I've been contemplating for a bit, and generally
having a disturbing lack of success finding problems with, is the
idea of having my server only include some OpenID headers when myself
or a pre-identified Relying Party (by IP and/or UserAgent) requests
the page. Visitors could of course adjust their own UserAgent (to see
my OpenID) with ease; that's not what I'm trying to affect, though.
The *point* would be to control whether a non-hostile Consumer sees
*any* OpenID headers at my site; if not, fraudulently representing
themselves as me would be difficult, even if they *could* spoof my
credentials. This could provide a layer of protection against
Providers that turn out to be hostile or vulnerable to a hostile
party's theft of their authentication records. There are also some
possible benefits in being able to effectively use *multiple*
Providers, simultaneously; for unimportant sites or leaving comments,
a Provider with weak authentication, while for important sites, a
Provider with biometrics and smart cards and fractally changing
passwords.
Since I'm unlikely to know the library (this affects UserAgent) a
Consumer is using when I first try to sign in there, I would have to
try once while looking at my access logs to figure it out. This is an
inconvenience, but one I'm okay with.
(I might be able to eliminate the need for SSH access to my server
with a bit of code to publish *just the UserAgent headers* from the
last few minutes' worth of requests - whether that page's URL is
secret or not, there's not much in there to violate my users'
privacy. Most sites I've tried logging into request the claimed
Identity page with something common (but not used by casual visitors)
like cURL, so if this continues to be the case it'd be a rare site
that required me to wait until I could check my server's logs for an
IP.)
-Shade (thinking of crossposting this to security@)
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list