[OpenID] [security] Re: generation fragments

Martin Atkins mart at degeneration.co.uk
Thu Sep 4 22:18:14 UTC 2008 

SitG Admin wrote:
>> Especially for sites such as Blogger, where the URIs may or may not 
>> have been actually used as OpenIDs,
> 
> Here's my concern: what about sites such as ISP's that aren't 
> providing mass content publication as a service, but merely happen to 
> include "100MB web page at www.oursite.com/~yourusername!"? The host 
> then might not even be *aware* of OpenID, but if they don't force 
> users to limit themselves to working through pre-existing templates, 
> a web-savvy user could simply upload a new version of one of their 
> pages, to include OpenID headers, and gain their own Identity.
> 
> And if that host isn't OpenID-aware, it won't have any reason to 
> provide generation fragments. The only question then is whether the 
> ISP's policy (if any) on letting new accounts be created with the 
> same username as a terminated account permits such things within a 
> shorter time frame than the "OP/RP best practices" list suggests.
> 
> It's not safe to rely on an OP to provide generation fragments for 
> this, since an Identify thief could just specify another OP in the 
> headers (or run their own). For the same reason this can't be 
> prevented by having an OP refuse to reset passwords (or other 
> authentication measures) - the OP can be certain the user isn't the 
> same one as was at that URI previously, but that won't matter if the 
> Identity thief puts that OP out of the picture before going to the RP.
> 

You're right that the fragment scheme doesn't address the delegation 
case. It was introduced specifically to address the concern of big OPs 
recycling their own identifiers.

The more general mechanism of adapting the CanonicalID approach from XRI 
was also proposed, which would have covered more use cases, but I think 
many involved parties thought this was too much complication.

As it currently stands, if a user is hosting his own identifier, whether 
by delegation or by running his own OP, it becomes his responsiblity to 
protect that identifier from being compromised by others. The OP can 
only help when it is the OP providing the identifier.

More information about the general mailing list