RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

Josh Hoyt josh at janrain.com
Thu May 17 20:30:14 UTC 2007 

On 5/17/07, Sam Alexander <sam.alexander at vidoop.com> wrote:
> >  1. Identifier recycling. There are two different use cases for
> >     identifier recycling. The first, and the one that most people who
> >     I have talked to really want to solve is that of a large provider
> >     that wants to allow re-use of parts of its namespace. The second
> >     is if a user wants to relinquish control of an identifier without
> >     relinquishing control of the places that they have used this
> >     identifier. A concrete example of this is if I ever choose to stop
> >     paying for j3h.us.
>
> This problem has already existed in the realm of e-mail for years
> (which I think is a great precedent for the problems we will (and do)
> face with OpenID).  OpenID does an even better job of mitigating it
> because of built-in delegation.  I think this should be left up to
> the OP to iron out (at least for now), and shouldn't be considered a
> block for finalizing the OpenID 2.0.

There is a proposed solution that we had consensus on (Dick's
"fragment" proposal.) This issue is a road block for certain companies
who have a large existing user base. I think that if we can solve it
without too much complexity and without taking too much time, we
should.

> >  2. Realm spoofing. This encompasses the attacks that Allen Tom has
> >     described (using redirectors, proxies or XSS attacks) that create
> >     new phishing opportunities and make certain types of phishing even
> >     worse.
>
> There are solutions popping up like Verisign's plugin and our
> myVidoop implementation that are taking shots at how to battle
> phishing.

This is a totally different kind of phishing/proxy attack. This is not
an attack against the provider. Whether an authentication technology
is phishable is irrelevant to realm spoofing. Essentially, realm
spoofing uses holes in *relying party* sites to make users send data
to attackers. Read Allen Tom's messages that describe the problem for
more specific information about it.

As with the recycling issue, there are a couple of relatively simple
suggestions that make this problem a lot less severe. It's also a
pre-requisite for getting larger companies to adopt OpenID, so I think
it's worth addressing.

Josh

More information about the specs mailing list