[OpenID] Bug in OpenID RP implementations

Peter Williams pwilliams at rapattoni.com
Fri Jan 2 01:30:58 UTC 2009 

I think this is the most important lesson (especially if UCI is the actual vision, in contrast openid being a submarine reinvention of TTP IDPs, a la Shib).

I've felt for a long time that there have to be two services: one aimed  purely at the user (and not provided by OPs), and then one provided by the OP. I kept experimenting with this distinction  over and over - but I always felt like the wacky weirdo - especially once the directed identity service from the OPs came along.

After all, "Real" users just subscribe to Yahoo, Google, Myopenid OPs. But those who fall prey to the indoctrination of those portal mindshare wars, are not really getting "openid". They are just being drawn into the typical hub-spoke networking model.  Its EDI all over again. Your free to send your business document anywhere,  as long as they are a member of the same hub.

We just have to  remember that, for business-class users, it's just not enough to have an OP account(s) with your favorite portal(s)  (google, live, pip), which provision you their various openids. You must have in additional service, which is probably separate from that which any OP offers. In that addition, you own and control the XRDS/HTML file - through which you can express full control and get what the UCI in openid promises/promised.

Ok. Lets test the reality.

Is there a semi-commercial site out there, aimed at 50+ year old users, that does little else other than allow such folks with pretty average IT skills to maintain their (non-OP) identity page, featuring op selection (i.e. reinforces the multiple-nyms concept) and delegation (allows control over https authentication endpoints, and facilitate login portability)?

I know I can sell the portability benefit of openid (as they all remember the analogous (pre-Neustar) days ...when phone companies would not let you move your phone number between national carriers).

Then, is there any "major" OP (google, live, yahoo, myspace?) that offers _both_ services?

It doesn't count as an "offer" if I, Jeanette the Realtor,  have to literally edit an XRDS or HTML file or even conceive of tags, meta-anything, denotational semantics or anthropomorphic identifiers with a polymorphic bent (or any other wonderfully inventive logic that we computer scientists love to talk about).

(
From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Thursday, January 01, 2009 4:37 PM
To: Peter Williams
Cc: Eddy Nigg (StartCom Ltd.); OpenID List
Subject: Re: [OpenID] Bug in OpenID RP implementations

Hi Peter,

I (mostly) share your idealistic view of myopenid.com<http://myopenid.com>.  I use it as a frame of reference often.  However, I don't agree with all of their decisions (AX type URIs and non-https enforcement among them).

It seems to me that https://homepw.myopenid.com/<http://homepw.myopenid.com/> results in myopenid.com<http://myopenid.com> referring to an HTTPS OP endpoint, and the http://homepw.myopenid.com/ referring to an HTTP OP endpoint.  Fair enough.  If you start your discovery securely it makes sense to continue with secure authentication.  And if your discovery was insecure, well then the authentication isn't secure whether it uses HTTPS or not since the discovery could have been hijacked and authentication rerouted to another address.

Ideally, myopenid.com<http://myopenid.com> and all other OPs would redirect identity page requests that come in on HTTP to HTTPS so that all claimed identifiers and authentication would occur over HTTPS to provide higher security to users.

Regarding whether mere users have the choice of HTTPS being used for auth, they may.  In your myopenid.com<http://myopenid.com> claimed id example the user has no control since myopenid.com<http://myopenid.com> hosts the claimed id page.  However, if you take http://blog.nerdbank.net, which is one of my claimed identifiers which delegate to myopenid.com<http://myopenid.com> (and others via XRDS), since I am the one to write the delegation tags I get to decide whether to use an OP's HTTPS or HTTP endpoint.  So yes, the user may have a choice about using a HTTP(S) OP endpoint, but they likely will not have that choice if they use an OP-hosted identity page.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Thu, Jan 1, 2009 at 4:51 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

Yes SP=RP. Remind me to use RP only, here, and keep SP for OAUTH (since OAUTH and openid seem to have a potential marriage ahead).



I'm now logged into my classical OP site (homepw.myopenid.com<http://homepw.myopenid.com>). I can't see how to control "my" metadata to allow "authentication" only over https.



Should I infer in the movement that "really" OPs decide whether the  https-class openid they provision will or will not "authenticate" over https - and not mere users?



For me, myopenid OP is/was the "gold standard" of openid OP implementations - an expression of the core use cases and the movement's management/control goals in their most primitive form. If I keep that belief, evidently users/subscribers are not "really" supposed to deciding whether https must be used during authentication. RPs may decide so. OPs may decide so. But users cannot.



From: Andrew Arnott [mailto:andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>]
Sent: Thursday, January 01, 2009 3:27 PM
To: Peter Williams
Cc: Eddy Nigg (StartCom Ltd.); OpenID List

Subject: Re: [OpenID] Bug in OpenID RP implementations



SP?  Do you mean RP?  SP is an acronym that applies to OAuth.  OpenID uses RP and OP.  I assume by SP you mean RP here...

The OpenID 2.0 spec section 15<http://openid.net/specs/openid-authentication-2_0.html#security_considerations> calls out several opt-in measures that an RP or OP can take to increase security for the authentication process.  But no, as has been stated an RP is not obliged per (my reading of) the spec to require that if discovery is done using HTTPS that authentication must also be done using HTTPS.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Thu, Jan 1, 2009 at 4:07 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

Is the SP right or wrong to redirect to an http OP endpoint, given an https openid, in your understanding of the spec (and what it means to be a conforming implementation)?





Though operating in openid1 legacy mode, neither SP not OP objected - probably because the spec does call out for code to raise an exception - presumably because it isn't one, formally.



From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: Thursday, January 01, 2009 3:00 PM
Cc: OpenID List

Subject: Re: [OpenID] Bug in OpenID RP implementations





On 01/02/2009 12:49 AM, Eric Norman:

On Jan 1, 2009, at 4:28 PM, Peter Williams wrote:





The openid 2 spec says in section 15 (a non-normative must, note):



"In order to get protection from SSL, SSL must be used for all parts

of the interaction, including interaction with the end user through

the User-Agent."





When I include "https:" in my OpenID, I'm saying that I

want protection by SSL, right?



Your OpenID is https:// then, it's not ncesseraly the same as http and the other way around too. It has been many times already mentioned.



So if something elsewhere decides not to use SSL for

whatever reason, that would be incorrect behavior, right?



Correct. However an OP may return the claimed OpenID as https (there are for example some OPs which don't do plain http, only https via redirect.



And let's not forget that the error message I quoted is

clearly inappropriate.









Regards





Signer:


Eddy Nigg, StartCom Ltd.<http://www.startcom.org>


Jabber:


startcom at startcom.org<mailto:startcom at startcom.org>


Blog:


Join the Revolution!<http://blog.startcom.org>


Phone:


+1.213.341.0390







_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090101/1113e407/attachment-0002.htm>

More information about the general mailing list