I like the idea.... but the XRDS would have to mandatorily <i>not</i> be hosted by <i>either</i> OP (which right now is commonly done), since that OP would still ultimately have total assertion power by temporarily manipulating the XRDS file to point to two OP endpoints that were both controlled by the evil party.<br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Sat, Nov 29, 2008 at 10:41 AM, David Fuelling <span dir="ltr"><<a href="mailto:sappenin@gmail.com">sappenin@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hey List,<br><br>I've been thinking about the security of OpenID lately, dreaming about the day when I'll be able to use OpenID at my bank's website. One issue that I keep coming back to is that my OP (or a rogue employee at my OP) could masquerade as me at OpenID-enabled RP's across the web since the OP is a single authentication point in the OpenID ecosystem.<br>
<br>To mitigate this problem, one idea I have would be to utilize a 2-headed OpenID auth scheme, whereby a "higher security" RP (like my bank) would require OpenID authentication assertions from two separate OP's. This would preclude somebody at OP #1 from masquerading as me, since any RP would require a second auth from a different OP, outside the control of the first OP.<br>
<br>On the face of it all, this approach would seem to require two different OpenIDs (one for each OP). However, using Yadis/XRDS, one could specify a primary and secondary OP for a particular OpenID. Assuming that the user is logged-in to both OP's, this dual-auth may even go un-noticed by the user. Of course, an RP could also just allow the user to select two different OP's to use for auth assertions at login time. <br>
<br>I suppose there are several ways to make this happen, but I'd appreciate any feedback on this idea...<br><br>Thanks!<br><font color="#888888"><br>David<br><br>
</font><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>