[OpenID] Google discovery prototype: dual discovery paths

Breno de Medeiros breno at google.com
Thu Jul 16 20:29:11 UTC 2009 

This is an interesting topic.
Another approach that has been suggested is two preserve the identifier
formats, but assign different security levels depending on how they were
authenticated (assuming that the RP is security-sensitive at all).

One level could be assigned to http identifiers and https identifiers based
on discovery without signatures.

A higher security level could be assigned to http and https identifiers
where discovery was validated via signatures.

So, if an RP notices that an account is usually logged in through a higher
security mechanism but now it is following a lower security one, then this
could be considered a downgrade of security level. Typically one would
employ a suitable account recovery process to validate that this is a
legitimate login attempt as opposed to a possible hijacking.

On Thu, Jul 16, 2009 at 7:21 AM, Manger, James H <
James.H.Manger at team.telstra.com> wrote:

>  If we do end up with dual discovery paths:
>
> 1.       making a GET request directly to an OpenID identifier; or
>
> 2.       following a decoupled discovery path (eg request to Google)
> backed by trusted signatures on the resultant XRDS files;
>
> then an OpenID login can be compromised by either path.
>
>
>
> A motivation for path #2 was that it is hard for a small business to make
> its website extremely secure from attacks that could modify web pages.
> However, even RPs that try path #2 will also try path #1 (unless we totally
> ditch OpenID 1.1 & 2.0 support!) so attacks modifying a small business’s web
> pages can still compromise their OpenID logins.
>
>
>
>
>
> One way to prevent dual paths reducing security for each other would be if
> each path applied to different OpenID identifiers. That is, only use path #1
> for http & https OpenID identifiers; and use some other form of OpenID
> identifier for path #2.
>
>
>
>
>
> *James Manger*
> *James.H.Manger at team.telstra.com*
> Identity and security team — Chief Technology Office — Telstra
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090716/1990f583/attachment.htm>

More information about the general mailing list