[OpenID] 2-Headed OpenID Auth for Increased Security?

Andrew Arnott andrewarnott at gmail.com
Sun Nov 30 15:35:09 UTC 2008 

I like the idea.... but the XRDS would have to mandatorily *not* be hosted
by *either* OP (which right now is commonly done), since that OP would still
ultimately have total assertion power by temporarily manipulating the XRDS
file to point to two OP endpoints that were both controlled by the evil
party.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Sat, Nov 29, 2008 at 10:41 AM, David Fuelling <sappenin at gmail.com> wrote:

> Hey List,
>
> I've been thinking about the security of OpenID lately, dreaming about the
> day when I'll be able to use OpenID at my bank's website.  One issue that I
> keep coming back to is that my OP (or a rogue employee at my OP) could
> masquerade as me at OpenID-enabled RP's across the web since the OP is a
> single authentication point in the OpenID ecosystem.
>
> To mitigate this problem, one idea I have would be to utilize a 2-headed
> OpenID auth scheme, whereby a "higher security" RP (like my bank) would
> require OpenID authentication assertions from two separate OP's.  This would
> preclude somebody at OP #1 from masquerading as me, since any RP would
> require a second auth from a different OP, outside the control of the first
> OP.
>
> On the face of it all, this approach would seem to require two different
> OpenIDs (one for each OP).  However, using Yadis/XRDS, one could specify a
> primary and secondary OP for a particular OpenID.  Assuming that the user is
> logged-in to both OP's, this dual-auth may even go un-noticed by the user.
> Of course, an RP could also just allow the user to select two different OP's
> to use for auth assertions at login time.
>
> I suppose there are several ways to make this happen, but I'd appreciate
> any feedback on this idea...
>
> Thanks!
>
> David
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081130/e048a494/attachment-0002.htm>

More information about the general mailing list