<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:955718542;
mso-list-type:hybrid;
mso-list-template-ids:-1249336108 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1502308901;
mso-list-type:hybrid;
mso-list-template-ids:837744592 201916431 201916441 201916443 201916431 201916441 201916443 201916431 201916441 201916443;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="Section1">
<p class="MsoNormal">If we do end up with dual discovery paths:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>making a GET request directly to an OpenID identifier; or<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo2"><![if !supportLists]><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>following a decoupled discovery path (eg request to Google) backed by trusted signatures on the resultant XRDS files;<o:p></o:p></p>
<p class="MsoNormal">then an OpenID login can be compromised by either path.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">A motivation for path #2 was that it is hard for a small business to make its website extremely secure from attacks that could modify web pages. However, even RPs that try path #2 will also try path #1 (unless we totally ditch OpenID 1.1
& 2.0 support!) so attacks modifying a small business’s web pages can still compromise their OpenID logins.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One way to prevent dual paths reducing security for each other would be if each path applied to different OpenID identifiers. That is, only use path #1 for http & https OpenID identifiers; and use some other form of OpenID identifier for
path #2.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span lang="FR" style="font-size:12.0pt;font-family:"Arial","sans-serif"">James Manger</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<br>
</span><u><span lang="FR" style="font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue"><a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a></span></u><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<br>
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Identity and security team</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">—</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> Chief Technology Office</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">—</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> Telstra</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span><o:p></o:p></p>
</div>
</body>
</html>