[PROPOSAL] Handle "http://user at example.com" Style Identifiers
George Fletcher
gffletch at aol.com
Mon Oct 23 02:00:00 UTC 2006
Dick Hardt wrote:
> With OpenID, there is a presumption the user has selected a trust
> worthy IdP that will only present the user's identifiers when it
> really is the user.
>
Doesn't this imply that both the user and RP have to know which IdP's
are "trust worthy"?
> Actually, idp.spammers.com cannot do that. The URL has metadata that
> states which IdP(s) are authoritative. What idp.spammers.com can do is
> flood an RP with a bunch of identifiers. But this is no different then
> a script creating new accounts on a system and is defended using the
> same mechanisms such as throttling and captchas.
>
So why can't idp.spammers.com allow anyone to enter a URI of
http://idp.spammers.com/<name> that resolves to a valid XRDS document.
The RP then follows the IdP service link back to
https://idp.spammers.com and does the association exchange. Now the RP
re-directs the user to https://idp.spammers.com for the login page,
which just re-directs the user back to the RP with the valid "assertion"
fields. idp.spammers.com does not have to ask the user for
authentication credentials (that is out of scope for the spec). For
commenting on blogs this would be similar to "bugmenot" for web
subscription services.
So of course, the RP just needs to "blacklist" idp.spammers.com. But
now we are back in the same situation we have today where its a race
between spammers setting up "IdPs" and RPs "black-listing" them.
Fundamentally, "trust worthiness" is paramount to making the system
work. For now, this means RPs will likely have some sort of ACL (black
or white) for the IdPs that they deal with.
Thanks,
George
More information about the specs
mailing list