[OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Peter Williams pwilliams at rapattoni.com
Wed Jan 14 15:47:43 UTC 2009 

Ah. I agree with you: that's a disreputable practice (in the "openid/websso" sense). This is a least the second time I've seen that, now, in this community. There is no shame in this world!

I don't mind RP proxying (and IDP proxying). I think both are proxying models are legitimate,  in a multi-protocol world. But you don't "proxy" by having the user's own authentication credentials to the email/address book provider.

Now your scenario for OAUTH during an RP  provisioning an account makes perfect sense. OAUTH allows an RP with an active user controlled session to go pull data from some or other contact book provider, or magnolia as the favorites provider.

Some variant of a user or SP nominating a "personalized openid" (to use yahoo terminology) with limited scope can serve as the authorization proxy authority from the user. If I've registered a particular personalized yahoo openid at address book RP which is willing to act as an OAUTH-SP, I could be giving that particular :secret:  value as a consumer-secret to Plaxo. If more control is required and more autonomy from the OP, one can do what I suggested the other day: and exploit delegation to bind a local secret (the finalized discovery url) to a common openid at the address book maintainer, and release that alongside the Op-provisioned openid to Plaxo. Then, one has a measure of immunity from OP misconduct, too.


From: Andrew Arnott [mailto:andrewarnott at gmail.com]
Sent: Wednesday, January 14, 2009 6:48 AM
To: Peter Williams
Cc: Martin Atkins; OpenID List
Subject: Re: [OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)

Hi Peter,

I think you missed the scenario I was saying should use OAuth.  The login process with Plaxo was fantastic.  I didn't mind that it sniffed my email address from my OP.  That's convenience for me.

But after login was completed, the first page I was taken to was a page where they wanted to take some email address and password so they could go download my address book.  This has nothing to do with OpenID.  They wanted my email password (bad, bad, bad!)  And yes, as you say, this is actually fairly common practice.  LinkedIn, Facebook, Lala, you name it.  Almost every social networking site wants your email password. ("cold dead fingers" comes to mind).  The link I sent you in my previous email explains why this is such a Very Bad Thing.

What OAuth does is give Plaxo, et. al, a way to download my address book without me ever giving them my email password.  They still need my permission, but not my password.  With OAuth, they can only do exactly what I authorize them to do (for instance, download my address book once) and nothing more.  Much much safer for the user.  They don't have to trust (usually blindly) the site they're at nearly as much.

Of course, then you get into the social question of how your "friends" in your address book will feel about you after you "sell" their contact info to some random site they have no interest in being a part of just to get a little convenience.  :)

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Wed, Jan 14, 2009 at 6:28 AM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

I have yet to understand why people assert that type of OAuth comment. I jus don't understand OAUTH well enough, yet.



Given all I know (from the OAUTH spec), data providers can share data with data consumers, once authorized by the user. Though any act of authorization (or "delegated" authorization) requires first an act of authentication (ideally with openid), the two security services are usually designed to be independent.



In the websso world I come from, what Plaxo do is perfectly normal.  They "confirm" using a local procedure the authentication statement in the assertion. That is, they declare that the assertion is not a bearer-class assertion, which would have implicit confirmation. As a consequence of that confirmation model, they confirm locally that the user controls the email identifier delivered via the nice "form fill" function that openid/sreg just performed.



In reality, Plaxo is perform name-federation with the users email identifier to the plaxo account. The verification model is really between the mail/phone provider and Plaxo, not OP and RP. Even if the OP has already performed that very same email confirmation (e.g. myopenid), the UCI model means that Plaxo have no assurance that it was performed, or performed properly. Thus, they do it themselves.



As plaxo is oft-cited as a model openid RP by the protocol-designer class of folk here, I had assumed that this RP-confirmation process was an INTENDED deployment behavior of "model" RPs. I had ASSUMED that It was one of those tradeoffs derived from the UCI  mission - which gives the function of survivability on the one hand, but takes away assurance on the other. One rebuilds assurance by local confirmation, I guessed.



During one-time name-federation to plaxo during (n) openid registration(s() - and providing different openids can introduce different email/phone accounts -  I don't see this as a big deal. If Plaxo as an RP were repeatedly confirming with the email/phone provider, then Id agree - something user-centric is needed  (perhaps OAUTH); as then the email provider becomes a central control/authorization authority - governing the user's ability to talk to plaxo.



From: Andrew Arnott [mailto:andrewarnott at gmail.com<mailto:andrewarnott at gmail.com>]
Sent: Wednesday, January 14, 2009 6:06 AM
To: Peter Williams
Cc: Martin Atkins; OpenID List
Subject: Re: [OpenID] Is OpenID truly user-centric and OP-independent? (WAS: Bug in OpenID RP implementations)



Yes, I wish everyone could follow that model at Plaxo.



But Plaxo would do well to adopt OAuth. I noticed as soon as I created an account just now that they wanted to take my email password<http://blog.nerdbank.net/2008/10/why-oauth-can-be-ignored.html>.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire

On Wed, Jan 14, 2009 at 5:51 AM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:

Add a plural s to the word identity.



IN policy language, the goal is surely not attaining "independence" from the communications infrastructure; but achieving "autonomy".



This is nicely seen in the plaxo model for building RPs, where you can bind n openids to the plaxo account. As a user, you can invoke any one of these identification paths. If flicker suspends your account (which they are want to do), there is no downside to you at Plaxo. Survivability is built in, with automatic, dynamic re-routing around the congestion point.





From: general-bounces at openid.net<mailto:general-bounces at openid.net> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>] On Behalf Of Andrew Arnott
Sent: Wednesday, January 14, 2009 5:35 AM
To: Martin Atkins

In fact, I've become convinced that there is no way to allow a user to maintain his own OpenID identity independent of any OP or ISP given the profile of a common Internet user today.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090114/576e5ef2/attachment-0002.htm>

More information about the general mailing list