[OpenID] Questions about security? :)
Kleber - Corujito
corujito at gmail.com
Thu Apr 14 22:18:59 UTC 2011
Thanks John,
we are uncomfortable with some information (like user's email) being passed
plain text through redirect. We don't want this information be able to
eavesdropping.
I understand from your answer that there is nothing to do about that in
openId or AX. Am I right?
On Thu, Apr 14, 2011 at 6:07 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The SREG 1.1 spec for openID 2.0 is unofficial but used.
> Some people still use SREG 1.0 with openID 2.0 but that is not spec
> compliant.
>
> The only official standard to pass attributes is AX in openID 2.0.
>
> By default they are not signed or encrypted, so the values can be modified
> by the user.
> This was considered OK in the design because all the attributes are self
> asserted.
>
> The IDP can easily make the AX parameters part of the signed body of the
> assertion.
> However you may find that RP are not necessarily checking for that.
>
> Any encryption would need to be custom.
> http://openid.net/specs/openid-attribute-exchange-1_0.html
>
> openID Connect has merged into openID AB. We expect to circulate draft
> specs at IIW.
> It will have more of the features it sounds like you are looking for.
>
> The mailing list is:
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> John B.
>
> On 2011-04-14, at 4:28 PM, Kleber - Corujito wrote:
>
> Hi guys,
>
> We are building a new OpenID Provider. It works, but we would appreciate
> some security tips. Can you help us? :)
>
> we read AX and SREG specs and we wonder if is there another way to pass
> user information from Provider to RP?
> We were figuring out if parameters could be passed in a encrypted way.
>
> is there something from openid community that we are missing? I read from
> openidconnect.com some time ago that it is considered 'openid 3.0'. Should
> we implement it?
>
> Thanks
> --
> Kleber Manoel Infante (Corujito)
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
--
Kleber Manoel Infante (Corujito)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110414/2724ef2b/attachment.html>
More information about the general
mailing list