rethinking ClaimOP -- phishing solution briefly explained
Boris Erdmann
boris.erdmann at googlemail.com
Wed May 16 13:55:59 UTC 2007
Hi,
after thinking a bit more about this, I realize the following:
ClaimOP is not necessarily different but complements other ideas: it
just adds robustness to what is intended anyway (be it an Identity
Manager or browser integration in general)
So, what do you think about the following flow?
(Still the trick is done at the OP site, it seems)
1. User visits an RP, enters their openid
2. Browser can detect RP (assumption)
3. Browser collects and remembers user's openid
... < action not necessarily known/recognized by the browser >
4. User gets to an OP site -- a looping-in login page.
5. OP says: "Hey, I'm an OP" to the browser. See proposal
http://openid.net/pipermail/specs/2007-May/001654.html
6. Browser takes over in a visual and trusted manner.
7. Browser, User check "OP provided"
against "User intended" *identifier*
For example:
If OP-provided identity doesn't match any of the
previously collected openids: Let user reenter openid.
If OP-provided identity still doesn't match: phishing alert!
8. User supplies password or Identity Manager does so.
9. Browser lets user submit only if discovery for
the identifier matches the OP realms
(location.href / form.action)
Advantages:
* Simple, easy to do, proof.
* Adds little overhead to OPs.
(once started by a few it would be adopted soon)
* Compatible with OpenID1.x/2.0
(needs no change in any version of the protocol)
* Makes OpenID a solution, not part of the problem
-- Boris
More information about the specs
mailing list