[OpenID] Security related Use Cases?
Ben Laurie
benl at google.com
Wed Oct 22 12:32:07 UTC 2008
On Wed, Oct 22, 2008 at 12:59 PM, Paul Madsen <paulmadsen at rogers.com> wrote:
> Unless with something like SAML's (nascent) Holder of Key profile
>
> http://www.oasis-open.org/committees/download.php/29426/sstc-saml-holder-of-key-browser-sso-draft-07.pdf
>
> Client authenticates directly with a cert to the SP, but that SP still
> 'relies' on the SAML assertion from the IDP
True. Also, client X.509 certificates would be similar. And all sorts
of related stuff.
>
> paul
>
> Ben Laurie wrote:
>
> On Wed, Oct 22, 2008 at 4:18 AM, Dick Hardt <dick at sxip.com> wrote:
>
>
> I would guess Ben is talking about authentication to the RP
>
>
> Actually, I meant any authentication - what does authentication to the
> RP mean, anyway? If I am authenticating to it directly, then it isn't
> an RP, right?
>
>
>
> -- Dick
>
> On 21-Oct-08, at 7:52 PM, Allen Tom <atom at yahoo-inc.com> wrote:
>
>
>
> OpenID does not specify how the user authenticates with their OP, so OPs
> which support hooks for client side authentication seem to address your
> concerns.
>
> Allen
>
> Ben Laurie wrote:
>
>
> So if we're going to embark on a UX consistency campaign, should we
> not do it around authentication that actually is safe - that is:
>
> a) Built in to the browser, s.t. it can't be faked by webpages
>
> b) Does not reveal the user's password in the process of authentication?
>
> Continuing to try to prop up the house of cards that is authentication
> on webpages seems counterproductive to me.
>
>
>
>
>
> --
>
More information about the general
mailing list