[OpenID] Promoting delegation...

Peter Watkins peterw at tux.org
Sat Jun 19 02:58:09 UTC 2010 

On Sat, Jun 19, 2010 at 10:06:07AM +0900, Nat Sakimura wrote:
> If it were just the issue of the IP Address, then would not the
> signing the discovery document serve our purpose?

Signing with S/MIME key? Like I'd buy a cert for the CN myblog.com
and use it to sign the discovery info embedded in http://myblog.com/
if I can't run https://myblog.com/ ?

That might work, sure. I'd like to think more about that, but at
first glance that looks like a pretty elegant solution. It would
be nice if the signed assertion for the discovery info could include
an expiration time, since I don't think there's any way to repudiate
an individual S/MIME signature (I don't know much about S/MIME). You
would want the owner of myblog.com to be able to publish a new discovery
document pointing to a new OP without worry of some MITM+replay attack
using the old signed discovery info. With normal OpenID https discovery
you don't need to worry about that, as the RP will only trust info
retrieved in real time. Adding an expiry time to an S/MIME signed 
discovery document would give the domain owner the *option* of deciding
to periodically re-sign his/her discovery info if desired.

(Alternately, I suppose you could just argue that the domain owner
could revoke the myblog.com cert and sign the new discovery info with
a new/replacement cert. As long as the CA supported OCSP and the RP 
performed OCSP validation, that would work, too.)

-Peter 

> On Sat, Jun 19, 2010 at 10:01 AM, Peter Watkins <peterw at tux.org> wrote:
> > On Fri, Jun 18, 2010 at 11:51:16AM -0700, Chris Messina wrote:
> >> Turns out people aren't apparently familiar with the delegation feature of
> >> OpenID, given the response to my comments on This Week in Google and Gina
> >> Tripani's followup post:
> >>
> >> http://smarterware.org/6286/how-to-set-up-openid-on-your-own-domain/

> > I think this old feature of using discovery to associate URLs with
> > arbitrary 3rd-party OPs is probably going to become *less valuable* over
> > time, if only because OpenID is drifting toward 100% https operation, and
> > most small, personal domains will have a hard time coughing up the extra money
> > for the dedicated IPv4 address that's needed to run an https site (I assume
> > the IETF TLS working groups still hasn't made much headway in making
> > TLS v.Next support hostname negotiation, to say nothing of getting the
> > capability deployed to a significant majority of client devices). It would
> > subvert the whole https model if the very first step in discovery involves
> > requesting a document with an http: address like http://ginatrapani.org/ .

More information about the general mailing list