[OpenID] Google OpenID IDP is now live

Andrew Arnott andrewarnott at gmail.com
Wed Oct 29 19:37:03 UTC 2008 

Deron,

I guess if the RP was trying to phish information and made the OP display
text in French... this could be mitigated.  If the user were already logged
in, thus providing the simple OK button you mentioned, then the OP should
ignore the RP's language recommendation because the OP knows what the real
language preference is.  If the user isn't logged in and the OP therefore
knows nothing about the language preference (aside from the preferred HTTP
header), then the OP could go ahead with the RP's suggestion,... until the
user managed to log in.  Then the language could revert to whatever the user
Really preferred.  So as long as the OP is coded correctly, I don't see much
room for phishing attacks.

On Wed, Oct 29, 2008 at 12:29 PM, Deron Meranda <deron.meranda at gmail.com>wrote:

> On Wed, Oct 29, 2008 at 3:19 PM, Martin Atkins <mart at degeneration.co.uk>
> wrote:
> > Deron Meranda wrote:
> >>
> >> I'm not really sure of the whole point to the proposal anyway; isn't
> that
> >> what the HTTP Accept-Language header is for?
> >
> > I believe the idea here is to arrange for the OP UI to appear in the same
> > language as the RP regardless of how the RP determined language.
> >
> > However, I have before raised the concern that if I'm muddling my way
> > through a site that's only available in French I'd still rather have my
> OP
> > -- that, after all, knows more about me than the RP -- present its UI in
> > English, my primary language.
>
> This probably should go in a separate thread if it gets much longer....
>
> First, I'm wary of the RP telling the OP how to display things.  It
> could open up even more phishing issues.  If the RP could tell the
> OP to display the login page in, say, Cherokee; then the end user
> who can't read the page but sees the "ok" button is likely to grant
> access when they didn't understand what they were doing.  The
> RP in my opinion should have a minimal amount of influence over
> how the OP communicates with the end user; including the language.
>
> The OP should either know the user's preferred language because
> he's already logged in, or should use the browser's Accept-Language
> header.
>
> Now, IF, the RP did need to pass a language, couldn't that be
> done by sending an HTTP Accept-Language header along
> with the GET/HEAD during the XRDS discovery phase... the OP
> could then potentially send back different XRDS resources based
> on the language, if it wanted to.
> --
> Deron Meranda
>  _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081029/492e6173/attachment-0002.htm>

More information about the general mailing list