[OpenID] direct communication and HTTP authentication

[Andrew Arnott]

Associations are not protected.  Creating an association with an
"authenticated" RP doesn't prevent the association handle from being used by
another RP since handles are not secrets.  Also, there is "dumb mode" where
no association is shared.

I suggest you whitelist the RP's realm and filter at user authentication
time, and be willing to form associations with anyone that asks.
 Associations are worthless to RPs if their realm doesn't match.  You'd need
to perform "RP discovery" on their realm to make it secure.  If you don't
want to manage a whitelist at the OP but still want to allow only approved
RPs, you can require that the RP's XRDS document contains some special tag
that contains the realm URL plus a signature from the OP.  That way the OP
can issue "certification" strings that RPs can host and certify themselves
but without the OP managing the whitelist.

Just an approach.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, Mar 4, 2010 at 11:11 PM, Torsten Lodderstedt <
torsten at lodderstedt.net> wrote:

> Hi all,
>
> I'm investigating ways to reliably authenticate RPs in scenarios with
> strong coupling between RP and OP.
>
> My question to the list is: Does it contradict the OpenId 2.0 spec if a OP
> requires HTTP authentication (e.g. BASIC authentication) on direct
> communication requests? The idea is to only establish an association if the
> RP is authenticated and authorized.
>
> Thanks in advance,
> Torsten.
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20100305/2ef87d31/attachment.htm>