Proposal: ClaimOP -- an in-band OP identity system

Boris Erdmann boris.erdmann at googlemail.com
Tue May 15 15:40:57 UTC 2007 

*** The purpose of this is to create an identity system enabling
browsers to verify that credentials are to be sent to the right
endpoint. ***


It seems that nobody objects to the idea that phishing can be
prevented just by intercepting user input at the OP
(http://openid.net/pipermail/specs/2007-May/001640.html).


So here is my proposal for "ClaimOP", that enables browsers to detect
those infamous "looping-in login" (LIL) pages.


To announce a "basic auth" LIL page, an OP MUST provide the following
in their page headers:


< head>
    < link rel="openid.auth_type"
            href="http://openid.net/specs/lil/auth-types-1.0#basic" />
    < link rel="openid.op_data" href="#<frm-id>" />
    < link rel="openid.identifier" href="#<oid-id>" />
    < link rel="openid.secret" href="#<pwd-id>" />
    ...
< /head>


where <frm-id>, <oid-id>, <pwd-id> identify elements in the LIL page
(http://www.w3.org/TR/html401/struct/links.html#h-12.2.3).


The LIL page MUST contain the following elements

* A < form id="<frm-id>" > element that carries a return data set for the OP.

* An < input id="<oid-id>" > element that carries the openid.identifier value.
   The openid.identifier MUST be an OP-Local identifier.
   This element MUST be a child of and related to
   the < form id="<frm-id>" > element.

* An < input id="<pwd-id>" > element that acts as a container for an
   "openid basic auth secret".
   This element MUST be a child of and related to
   the < form id="<frm-id>" > element.


Example:

< form id="frm-id" method="post"
        action="https://exampleop.com/basic-auth-login-handler">

    < input id="oid-id" type="text" name="login" readonly="readonly"
            value="https://myname.exampleid.com/" />

    < input id="pwd-id" type="password" name="op_passwd_field" />
    ...
< /form>


It is to be discussed if this proposal is too intrusive for OPs to
implement, or if it cuts down their variability.

I'll continue with a follow-up post called
"Proposal: ClaimOP -- what does this buy us".


-- Boris

More information about the specs mailing list