[OpenID] OpenID SREG best practice question
Breno de Medeiros
breno at google.com
Fri Nov 14 16:24:44 UTC 2008
On Fri, Nov 14, 2008 at 8:19 AM, Peter Williams <pwilliams at rapattoni.com> wrote:
> Be interesting to see if one can measure any sidechannels in the protocol, by the OP leaking info:
>
> 1 an unauthorized third-party can use it and determine if an OP has ever interacted with a given RP.
Not sure if that is an interesting issue, unless the RP has very few users.
>
> 2 an unauthorized third-party can use it and determine if some user currently has a session on the OP
The OP determines that the user has a session by using cookies, so
that is not an OpenID-specific behavior. I am fairly certain such
channels already exist and are independent of OpenID.
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of George Fletcher
> Sent: Friday, November 14, 2008 7:22 AM
> To: Breno de Medeiros
> Cc: general at openid.net
> Subject: Re: [OpenID] OpenID SREG best practice question
>
> Comments inline...
>
>
>
> Just to make sure I understand. In this scenario, the RP is sending the
> checkid_immediate along with the AX query. Then at the Google OP, it
> first checks to see if the user is logged in. If the user is logged into
> the Google OP, then...
> 1. If they've interacted with the RP before and set the auto-approve
> flag, then checkid_immediate will succeed but will not send the email
> address.
> 2. If the user has not interacted with the RP before, then
> checkid_immediate will fail so that the user will be forced through the
> UI to give consent to return the email address.
> 3. If the user has interacted with the RP in the past, but has not
> given auto-approval, then again checkid_immediate will fail because the
> user needs to consent to release of their email address.
>
> Obviously, if the user is not logged in, checkid_immediate will fail :)
>
> So if I've got the logic right, then checkid_immediate will only succeed
> with the Google OP if the user is logged in and has set the
> auto-approval flag.
>
> Thanks,
> George
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list