[OpenID] OpenID SREG best practice question
Peter Williams
pwilliams at rapattoni.com
Fri Nov 14 16:19:52 UTC 2008
Be interesting to see if one can measure any sidechannels in the protocol, by the OP leaking info:
1 an unauthorized third-party can use it and determine if an OP has ever interacted with a given RP.
2 an unauthorized third-party can use it and determine if some user currently has a session on the OP
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of George Fletcher
Sent: Friday, November 14, 2008 7:22 AM
To: Breno de Medeiros
Cc: general at openid.net
Subject: Re: [OpenID] OpenID SREG best practice question
Comments inline...
Just to make sure I understand. In this scenario, the RP is sending the
checkid_immediate along with the AX query. Then at the Google OP, it
first checks to see if the user is logged in. If the user is logged into
the Google OP, then...
1. If they've interacted with the RP before and set the auto-approve
flag, then checkid_immediate will succeed but will not send the email
address.
2. If the user has not interacted with the RP before, then
checkid_immediate will fail so that the user will be forced through the
UI to give consent to return the email address.
3. If the user has interacted with the RP in the past, but has not
given auto-approval, then again checkid_immediate will fail because the
user needs to consent to release of their email address.
Obviously, if the user is not logged in, checkid_immediate will fail :)
So if I've got the logic right, then checkid_immediate will only succeed
with the Google OP if the user is logged in and has set the
auto-approval flag.
Thanks,
George
More information about the general
mailing list