<br><font size=2 face="sans-serif">As a developer of an implementation
(which no doubt still needs work), I would really like to see and contribute
to a bunch of published test cases which describe and expose common vulnerabilities
and implementation issues. I loath to say conformance or interoperability
testing as having been involved in both those activities before I know
they typically end up with the "lowest common denominator that works".
What I am talking about is test cases or at least a guide/FAQ which describes
scenarios that expose common problems. The list you've described below
is good input and definitely something I'll be working through. Having
this information on a developer FAQ/wiki would be useful too. </font>
<br>
<br><font size=2 face="sans-serif">Regards,</font>
<br><font size=2 face="sans-serif">Shane.</font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>"Andrew Arnott"
<andrewarnott@gmail.com></b> </font>
<br><font size=1 face="sans-serif">Sent by: general-bounces@openid.net</font>
<p><font size=1 face="sans-serif">31/07/2008 02:46 AM</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td><font size=1 face="sans-serif">"OpenID List" <general@openid.net></font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td><font size=1 face="sans-serif">[OpenID] The complexity of OpenID, and
imperfect RPs</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=3>I have been shifting my identity to my own i-name, and
adding several authentication SEPs so that regardless of which RP I sign
into, a supported OP ought to be found in my list (if the RP were to use
a whitelist for example). In theory, it's really cool. I can
log in as =Arnott anywhere (that takes OpenID) and my CanonicalID is used
so my identity is secure for my whole life. Great... in theory.<br>
<br>
Here are some of the harsh realities I've encountered while trying to live
in this ideal situation:</font>
<br><font size=2 face="sans-serif">1. </font><font size=3>The
RP selects the wrong OP from the XRDS document (it supports any/all of
the OPs, but chooses the first listed one rather than the one with the
best priority rating).</font>
<br><font size=2 face="sans-serif">2. </font><font size=3>The
RP attempts authentication against one of my OPs (whether it's my preferred
one or not) and fails, whether it's a discovery failure, an assertion verification
failure, or whatever.</font>
<br><font size=2 face="sans-serif">3. </font><font size=3>Although
many RPs can authenticate me as =Arnott, the ones that can't I try </font><a href=http://blog.nerdbank.net/><font size=3 color=blue><u>http://blog.nerdbank.net</u></font></a><font size=3>,
which includes both an XRDS refererence and the standard OpenID LINK tags.
If this succeeds, now I've got to remember which sites I've logged
into as =Arnott vs. </font><a href=http://blog.nerdbank.net/><font size=3 color=blue><u>blog.nerdbank.net</u></font></a><font size=3>.
If this fails, then I can choose to either surrender my attempt at
using my own personalized identifier and start trying my individual OP-assigned
identifiers, or just give up and leave the RP.</font>
<br><font size=2 face="sans-serif">4. </font><font size=3>Upon
successful authentication, the RP incorrectly stores my user-supplied identifier
(=Arnott) instead of my claimed identifier (=!9B72.7DD1.50A9.5CCD). Since
I have no/little way of realizing this, I naively believe that my identity
on this site is secure, but when I eventually surrender my =Arnott i-name
for another one but keep my CanonicalID, the site doesn't recognize me
as the same person, and worse, someone else assumes my identity.</font>
<br><font size=2 face="sans-serif">5. </font><font size=3>Many
RPs choose to use their own home-spun minimal implementation of OpenID
that is full of security holes (I've seen plenty). As a logging in
user, I have no way to know whether this is a decent implementation of
OpenID that I'm logging into or not. If I doubt it at all, then I
must assume that anyone else can spoof my identity on this site by exploiting
one of the many bugs common in these home spun implementations.</font>
<br><font size=3>Correctly processing an XRDS document in a fully XRDS
spec-compliant way is no small task, and I'd wager that most or all of
the OpenID libraries do not do it perfectly. This means that any
user trying to make the most of OpenID will likely be unable to log into
some RP web sites, or perhaps may be able to but be unaware that the RP
incorrectly interpreted the XRDS doc and stored something wrong about his
identity. <b><br>
<br>
Suggestions</b><br>
It seems to me that if an RP doesn't want to risk losing visitors due to
their unexpected or perhaps buggy identifiers/OPs, an RP should probably
have a list of known-compatible OPs on any authentication error page it
might display.<br>
I have a suggestion for the other problem(s), but I'm still working out
details. I may propose it to this list soon.<br>
<br>
In the meantime, does anyone else have thoughts regarding how to help solve
these problems? Obviously, "implement the spec correctly"
is the trivial answer. I'm looking for ideas on how to </font><a href="http://blog.nerdbank.net/2008/04/argument-for-extra-dependency-of.html"><font size=3 color=blue><u>promote
reuse of libraries</u></font></a><font size=3> rather than home-spun implementations,
and how to assure users that the right things are happening behind the
scenes at the RP so that he/she can trust the site.</font><tt><font size=2>_______________________________________________<br>
general mailing list<br>
general@openid.net<br>
http://openid.net/mailman/listinfo/general<br>
</font></tt>
<br>