[OpenID] XRDS multi-OP listing?

SitG Admin sysadmin at shadowsinthegarden.com
Thu Jun 5 22:58:34 UTC 2008 

>Again, I can get behind the use-case but I'm incredibly hesitant about
>making RPs do additional work. Turning a site into an RP is already a
>tough sell.

If added to the spec, this can be "the RP *may*" instead of "the RP 
*should*", putting it in the same class as all those other optional 
features. RP's could decide to offer it to their users at any time, 
but including it wouldn't be necessary to get the basics operating.

>You got me thinking though about a way for the user (or someone on his
>behalf) host the selector himself.

I found this idea to be very exciting at first, because it would 
allow users without dynamic coding ability *or* hosts that support 
server-side scripting to outsource the job to sites that *do*. And at 
first I was thinking that the privacy-enhancing effect from 
decentralization would be even more available, since the ID selector 
would be very simple compared to implementing an OpenID server or 
similar, enabling just about *anyone* to run a selector - but then I 
realized that it'd *also* be introducing yet another point of 
*failure*. You're essentially doing the equivalent of giving some 
third party root access to your OpenID headers, without exposing the 
rest of your site to their access or control, but that third party 
can be hostile or become compromised. Is the security at this third 
party equal to or superior to what you use to protect your site?

The person hosting your OP selector can keep records for the user of 
what OP's have been designated in the past, but that same person 
could omit from their records any sign that they were having their 
selector redirect requests from certain RP's to an OP they 
controlled, so it's a bit more serious than just a compromised OP; 
how do you know whether your OP was used or the person hosting your 
selector authenticated as you using another OP or the RP for some 
reason logged you in without properly verifying your identity?

Some of these concerns should also bounce back to the URI, though; if 
a hostile party broke into your account at the site, and changed your 
headers just long enough to log in somewhere, then changed them back, 
how would you know where your security had been compromised?

Perhaps the "Wait, someone got compromised but who was it?" issue is 
misplaced; we can hardly be upset about the missing knowledge if we 
wouldn't have known anyway.

-Shade

More information about the general mailing list