[OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research

[Peter Williams]

In some ways, id expect an rp state-machine in delegated or directed identity state to reject an unsolicited-form assertion as a protocol violation. In the normal rp pending state, it could knowingly accept an unsolicited response, bearing no relationship to the claimed identified or the original op identifier doing the requested claim verification.

-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Thursday, October 23, 2008 1:31 PM
To: Chris Messina <chris.messina at gmail.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Combining Google & Yahoo user experience research


>If I decide to enter georgebush at yahoo.com into an RP and I'm signed in
>as someone else on Yahoo.com, I'll be returned as the currently signed
>in user, regardless of who owns georgebush at yahoo.com.

I'll be awfully suspicious, though, and possibly discriminate against
you on the basis that something fishy is going on there.

>If the complete email address is to be considered verified after the
>flow I just described, I think the protocol is broken.

Before understanding Directed Identity (and its security), I was
implementing a similar check for OpenID's: I compared the URI they
had initially typed in with the claimed_id returned by their OP, and,
if it wasn't the same, I assumed they had found an exploit in their
OP or the protocol. There's nothing that says we have to consider
their original E-mail address to be verified; we can keep track of it
just long enough to compare that value with the claimed address, and
proceed to more paranoid behavior if they don't match.

-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general