[OpenID] Graphical UIs

George Fletcher gffletch at aol.com
Fri May 15 16:04:09 UTC 2009 

As an OP, I want to know that the entity requesting an authentication 
(and in the context of this thread UI customizations) is really the same 
entity for which the UI customizations are requested. If I just trust 
the realm (even if an SSL based realm), then I'm not guaranteed that the 
presenter and the specified realm are really the same. This is pretty 
important to me. Even trusting the SSL cert of the realm doesn't help 
unless I can show that the request came from that realm. Signing would 
provide that "assurance".

Thanks,
George

Andrew Arnott wrote:
> Thanks for trying to explain it Nate.  Actually what I was wondering 
> is why OAuth must be part of the request at all.  There's been talk on 
> this thread of bringing OAuth into it so that a signed message from 
> the RP can be sent to the OP.  First of all, using OAuth just for its 
> signing seems like a misuse.  The OpenID+OAuth extension that you 
> described doesn't sign the request at all.  And finally, it escapes me 
> why the request needs to be signed at all.  If an attacker were to 
> form a request to look like it came from a legitimate company, then 
> the assertion would go to that legitimate company (assuming RP 
> discovery and return_to matching was successful) and the attacker 
> would have gained nothing. 
>
> So why must OAuth be part of login just so that logos from the RP can 
> show up at the OP?
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the 
> death your right to say it." - S. G. Tallentyre
>
>
> On Thu, May 14, 2009 at 10:46 PM, Nate Klingenstein <ndk at internet2.edu 
> <mailto:ndk at internet2.edu>> wrote:
>
>     On rereading this, you might have meant that the OAuth
>     registration of the RP with the OP would be completely automated
>     and promiscuous.  In that case, I'd totally agree with you.  But
>     it's a "woah -- dude" moment for me because it's so counter to our
>     deployment paradigm.
>
>     Hope there was no confusion,
>     Nate.
>
>
>     On May 14, 2009, at 11:28 PM, Nate Klingenstein wrote:
>
>>>     Why would OAuth be necessary?  If an RP registered with an OP
>>>     and submitted their logos/text/etc, then any auth request coming
>>>     in with the registered realm could display those pictures. 
>>>     There is a danger that hacker.com <http://hacker.com> might
>>>     register and upload the Wells Fargo logo, but OAuth won't
>>>     prevent that.  
>>
>>     Previously negotiated consumer keys, e.g. whitelisting.  It would
>>     prevent any transaction from occurring.  Unless I'm horribly
>>     misreading something, step 7 is registration, stating:
>>
>>     The Combined Consumer and the Combined Provider agree on a
>>     consumer key and consumer secret (see [OAuth]
>>     <http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html#OAuth>).
>>
>>     http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list