Proposal: ClaimOP -- an in-band OP identity system

Johannes Ernst jernst+openid.net at netmesh.us
Tue May 15 16:01:01 UTC 2007 

Regardless of the merits of this proposal, can we please not add more  
"link rel" lines, but use Yadis instead which is a much more robust  
way of accomplishing the same thing (and more)?


On May 15, 2007, at 8:40, Boris Erdmann wrote:

> *** The purpose of this is to create an identity system enabling
> browsers to verify that credentials are to be sent to the right
> endpoint. ***
>
>
> It seems that nobody objects to the idea that phishing can be
> prevented just by intercepting user input at the OP
> (http://openid.net/pipermail/specs/2007-May/001640.html).
>
>
> So here is my proposal for "ClaimOP", that enables browsers to detect
> those infamous "looping-in login" (LIL) pages.
>
>
> To announce a "basic auth" LIL page, an OP MUST provide the following
> in their page headers:
>
>
> < head>
>     < link rel="openid.auth_type"
>             href="http://openid.net/specs/lil/auth-types-1.0#basic" />
>     < link rel="openid.op_data" href="#<frm-id>" />
>     < link rel="openid.identifier" href="#<oid-id>" />
>     < link rel="openid.secret" href="#<pwd-id>" />
>     ...
> < /head>
>
>
> where <frm-id>, <oid-id>, <pwd-id> identify elements in the LIL page
> (http://www.w3.org/TR/html401/struct/links.html#h-12.2.3).
>
>
> The LIL page MUST contain the following elements
>
> * A < form id="<frm-id>" > element that carries a return data set  
> for the OP.
>
> * An < input id="<oid-id>" > element that carries the  
> openid.identifier value.
>    The openid.identifier MUST be an OP-Local identifier.
>    This element MUST be a child of and related to
>    the < form id="<frm-id>" > element.
>
> * An < input id="<pwd-id>" > element that acts as a container for an
>    "openid basic auth secret".
>    This element MUST be a child of and related to
>    the < form id="<frm-id>" > element.
>
>
> Example:
>
> < form id="frm-id" method="post"
>         action="https://exampleop.com/basic-auth-login-handler">
>
>     < input id="oid-id" type="text" name="login" readonly="readonly"
>             value="https://myname.exampleid.com/" />
>
>     < input id="pwd-id" type="password" name="op_passwd_field" />
>     ...
> < /form>
>
>
> It is to be discussed if this proposal is too intrusive for OPs to
> implement, or if it cuts down their variability.
>
> I'll continue with a follow-up post called
> "Proposal: ClaimOP -- what does this buy us".
>
>
> -- Boris
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list