[OpenID] Abusing Authentication Failure messages

[Maarten Billemont]

It has always bothered me that the OpenID protocol does not assign a unique ID to requests that is required to be repeated in the request's response.  This makes it annoying to cleanly identify whether a response matches a particular request; instead relying on chronology (response Y comes after request X?  It must be a response to X!).

This is an annoyance, yet, in the case of successful authentication responses, not a disaster: The response can be signed and verified.

In the case of a failure response, however, there is a significant lack of useful information passed from the OP to the RP.  This lack of useful information makes it impossible for the RP to verify that the response did originate from the OP.  Unfortunately for the RP, (and conveniently for an attacker), the response is sent via indirect communication (via the User Agent); so the RP has no clue whatsoever where the response came from or who crafted it.  There is no association handle, no signature, no nonce, no nothing.

Does that mean that to sabotage an OpenID site's authentication process, all I have to do is craft a website which, when opened by the user in a separate tab, continuously makes requests to the RP providing authentication failure responses?

Am I missing something here, or is the OpenID protocol really so flawed?  And if it is, can I expect anyone to fix the protocol any time soon?