Proposal: ClaimOP -- what does it buy?

Boris Erdmann boris.erdmann at googlemail.com
Tue May 15 17:47:16 UTC 2007 

On 5/15/07, Dick Hardt <dick at sxip.com> wrote:
> On 15-May-07, at 9:57 AM, Boris Erdmann wrote:
> > Well,
> > two reasons:
> > a)
> >
> > I outlined before (http://openid.net/pipermail/specs/2007-May/
> > 001643.html and
> > http://openid.net/pipermail/security/2007-May/000365.html) that the
> > current specification(s) allow for (corner?) cases where the browser
> > would have a hard time tracking the protocol flow from the start (at
> > the RP). This would either lead to an implied reduction of variability
> > or - due to complexity - to breakable browser implementations (imo).
>
> Then perhaps we should tweak the protocol flow so that it the browser
> can detect?

Well, no problem with that, if it is consensus.
But how would you change OpenID 1.0/1.1?

> > That's why I made the proposition
> > (http://openid.net/pipermail/specs/2007-May/001640.html) in the first
> > place -- to discuss if the whole thing can be broken down to the
> > situation at the OP site, which can be perfectly controlled.
>
> Studies show that users will do the wrong thing. The RP can send the
> user to a proxy of the OP, the browser will not know that the user
> thinks it is the OP, and the user will type in their credentials.

Well, not with my approach (unless you prove me wrong)!

The browser will not let you send any password to a site that
is not authorized for the requested openid.

The browser does not need to know, if the OP is the one the user
expects it to be.

Read my proposal and my explanation. Think it. Ask questions.
I most probably could not make myself clear (not natively speaking English).

> > My approach makes OpenID not part of the problem ("openid is broken,
> > it can be phished") but part of the solution. I hope one can see the
> > idea behind my proposal.
> >
> > b)
> >
> > One of the cool things about OpenID is, that it works w/o me telling
> > my browser who I am. I can go anywhere on the planet, and don't have
> > to take my browser with me, but never the less OpenID works. That's
> > cool. My idea adds to that.
>
> But you would need a modified browser still would you not?

Yes. But it doesn't tie security to preconfiguring the browser.

> > I don't like the idea of tying OpenID security to the fact, that it
> > would be safe if only I had my preconfigured browser at hand. My idea
> > doesn't necessarily need that. And I believe, that this is something
> > that would make OpenID unique compared to some other solutions.
>
> You would still need a browser to be modified. If you are using
> someone else's machine, then you could change the OP being used.

Of course -- I could even log into my OP before starting a session at
a consumer site. It's all about "convenience" with the looping-in
login page. So, add a few clicks to configure your browser, and a few
to reconfigure it after using it and watch usability go down the tubes
:-)

Seriously, you could at any time decide to remove the looping-in login
from the valid protocol flow and the problem would vanish. (But then,
that could have been done long before.)

> > That is not to say, that an Identity Manager is a bad thing in itself
> > -- but tying security to it, I think, is.
>
> That seems to be a contradiction.

Does it really? Then let me explain.


-- Boris

More information about the specs mailing list