[OpenID] Questions about security? :)
Kleber - Corujito
corujito at gmail.com
Fri Apr 15 12:27:33 UTC 2011
Nice.
then would it be something like this?
Some day our Provider should implement OpenID AB/C and still support OpendID
2.0 (I hope OpenID libs help us).
For 2.0 RPs we would return information through AX that we assume a risk of
eavesdropping.
For RPs using OpenID AB/C we would pass all information that we want.
On Thu, Apr 14, 2011 at 7:31 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> You have identified one of the reasons openID 2.0 doesn't qualify for LoA 2
> (SP-800-63).
>
> There is nothing in AX by default, You would have to build something
> custom, then you have interoperability issues.
>
> The proposed openID AB/C spec or whatever the final name will be avoids
> this in two ways.
> 1. with the Web server flow the attributes are directly retrieved by the RP
> from the IdP using a oauth 2.0 token.
> 2. There will also be an encryption option for JWT tokens that contain
> claims.
>
> Most things will just use the direct retrieval (1).
>
> John B.
>
> On 2011-04-14, at 6:18 PM, Kleber - Corujito wrote:
>
> Thanks John,
>
> we are uncomfortable with some information (like user's email) being passed
> plain text through redirect. We don't want this information be able to
> eavesdropping.
>
> I understand from your answer that there is nothing to do about that in
> openId or AX. Am I right?
>
>
> On Thu, Apr 14, 2011 at 6:07 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> The SREG 1.1 spec for openID 2.0 is unofficial but used.
>> Some people still use SREG 1.0 with openID 2.0 but that is not spec
>> compliant.
>>
>> The only official standard to pass attributes is AX in openID 2.0.
>>
>> By default they are not signed or encrypted, so the values can be modified
>> by the user.
>> This was considered OK in the design because all the attributes are self
>> asserted.
>>
>> The IDP can easily make the AX parameters part of the signed body of the
>> assertion.
>> However you may find that RP are not necessarily checking for that.
>>
>> Any encryption would need to be custom.
>> http://openid.net/specs/openid-attribute-exchange-1_0.html
>>
>> openID Connect has merged into openID AB. We expect to circulate draft
>> specs at IIW.
>> It will have more of the features it sounds like you are looking for.
>>
>> The mailing list is:
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> John B.
>>
>> On 2011-04-14, at 4:28 PM, Kleber - Corujito wrote:
>>
>> Hi guys,
>>
>> We are building a new OpenID Provider. It works, but we would appreciate
>> some security tips. Can you help us? :)
>>
>> we read AX and SREG specs and we wonder if is there another way to pass
>> user information from Provider to RP?
>> We were figuring out if parameters could be passed in a encrypted way.
>>
>> is there something from openid community that we are missing? I read from
>> openidconnect.com some time ago that it is considered 'openid 3.0'.
>> Should we implement it?
>>
>> Thanks
>> --
>> Kleber Manoel Infante (Corujito)
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>>
>
>
> --
> Kleber Manoel Infante (Corujito)
>
>
>
--
Kleber Manoel Infante (Corujito)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20110415/584bd6ad/attachment.html>
More information about the general
mailing list