[security] browser integration?

[John Fraser]

Hi,

New here.  Has the shape of Firefox's OpenID support been decided yet?
 If not, here's an anti-phishing suggestion that should be easy to
mock up with bookmarklets.

The idea is to move away from redirection and towards proactive,
out-of-band login.  Users would log in to their OpenID providers
*before* signing in to RPs -- ideally with a single click in the
browser's chrome on a page with an OpenID prompt.  The browser would
contact the user's OP and submit a checkid_setup request on behalf of
the current page (opening a new window if necessary), autofill the
OpenID URL on the RP's page, then leave it up to the user to submit
the form.  Once that happens, the RP would authenticate exactly as it
does now -- but it should never need to redirect the user to a login
screen, since the OP already knows to approve its request.  It's kind
of like making an extra trip to myopenid.com and clicking "allow
forever."

OPs could implement this right now, and use bookmarklets to make it
user-friendly.  They'd need to add an extra parameter to
checkid_setup, which would tell the OpenID server that "approve once"
should actually mean "approve on the next attempt," and that it
shouldn't redirect the user.  None of this requires any change to the
RP; it's all between the OP and the OP's bookmarklet -- in fact, it's
only worth standardizing if browsers really are going to get in the
game.

There would be some hacky implementation details (like identifying the
"next attempt," since you don't have access to trust_root), but it
should be possible to build something that works pretty well right
now.

- John Fraser