[OpenID] UCI Idea: An iPhone OP (?)

David Fuelling sappenin at gmail.com
Wed Mar 3 16:33:43 UTC 2010 

Wondering what people think about using as an iPhone (or Android/etc)
application as a personal OP.

Basically, the way it would work is as follows:

   1. Go to RP, get prompted with a login form.
   2. Turn on iPhoneOP application on your iPhone.
      1. iPhone App turns on lighttpd (or some other ultra-small web server)
      to serve web requests from the phone and act as an OP.
      2. iPhone App then connects to a DDNS service that connects the
      phone's current IPV6 address to the OP domain.
      3. The iPhone is now the user's OP.
   3. User signs into the RP, which then does the OpenID dance with the OP
   running on the user's iphone.
   4. The user could login via the web, or optionally just get prompted on
   the phone that a login is occurring - the user could then accept the login
   and/or enter a security code (in case of a lost iPhone).
   5. User is logged-into the RP.
   6. iPhone App turns off.

Some initial thoughts I've had:

   1. Could this take us a lot closer to a user-centric identity?  Imagine
   if this software was built into the phone (so you didn't have to run an App
   to make it work).
   2. Something like this would be interesting from a multi-auth
   perspective.  On the one hand, it could preclude the need for mulit-auth
   because a person could turn off his OP when the app isn't running (thus
   ensuring no RP logins without the phone....mostly -- see some security
   drawbacks below).
   3. Alternatively, it could provide one multi-auth solution in that an RP
   could be required to get an assertion from a "regular" OP and a user-centric
   OP (like the iPhone) before allowing access.

Security Drawbacks (?)

   1. The user should trust his/her DDNS provider because somebody at that
   provider could change the IP address hooked up to the domain backing the
   iPhoneOP (without the knowledge of the user).  However, this is an issue
   with current OPs (the rogue employee problem).  Either could be mitigated
   with multi-auth.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100303/467bb4af/attachment.htm>

More information about the general mailing list