Email Address to URL Transformation

SitG Admin sysadmin at shadowsinthegarden.com
Fri Jan 29 23:41:00 UTC 2010 

>>  What you would be trusting Google for is not letting anyone else
>>  (say, Google) pose as you. That's *their* end of the authentication
>>  stick;
>
>This would only true if Google is my OP.

In a joint Google/Yahoo venture, it would be (so would Yahoo).

>Merely allowing Google to
>advertise to the world who my OP is does not give them an opportunity to
>pose as me.

But that's exactly what delegation *is*; https://you.google.com/ 
returns an HTML page from the server containing OpenID headers that 
either specify the OP directly, or point to an XRD (perhaps hosted 
elsewhere) that specifies your OP - but it's still the OP for *that 
page* (the URI https://you.google.com/), and evil.hacker.com can 
advertise anything they want about you, but it doesn't (and shouldn't 
(and mustn't)) matter a whit :)

I think there was a bit more than delegation under discussion in the 
thread, though; and, despite not understanding exactly what the 
differences are, I'm hoping to figure out something else it might be 
useful for. (Or perhaps my inquiries will merely lead me to 
understanding what the rest of you *were* discussing, and I'll be 
following along a bit slowly.)

>Perhaps what you're driving at is that you do not want one "point of
>failure" (a single human) in one organization to be the cause for a security
>breach and what you want is to have authentication go through a multi-OP
>authentication procedure in order to validate a user?  If so, I can think of
>a way to do that without changing OpenID,

I don't think anyone has suggested changing OpenID (apart from the 
very public efforts to create new working groups, etcetera), and 
certainly there *have* been proposals for leveraging OpenID as it 
currently exists for a multi-OP authentication procedure; see
http://wiki.openid.net/f/openid-provider-multiauth-extension-1_0-2.html

>though there would still be the
>single, final answer coming from some single entity.  Do you want multiple
>replies to go back to the RP from multiple OPs, like having 2 locks on the
>front door of your home?  This would force the user to essentially log in
>two times in order to get authenticated.

This can be easier with non-password checks (such as smart cards). An 
attacker mugs you in the street for your wallet, but doesn't get the 
smart card that you only pick up from security when you come in for 
work (and drop off when you leave). Of more use in the shorter term, 
users can be dispatched to multiple OP's at once (there are posts in 
the general archives about how to handle this from a UI perspective), 
so they aren't waiting for one check to complete before starting the 
next; an example login might send a user to 5 different OP's on 
record for them, then accept the first 3 to return successfully.

>>  since they are the party being delegated from as well, you
>>  also trust them to be up (available to RP's) when you want to login
>>  somewhere.
>
>I would need Google to be up to advertise the location of my OP.  If they
>were down, though, I could still manually enter my URL-based OpenID ID.  You
>might be making a different point here and perhaps I'm missing it.

If you manually entered "https://you.google.com/" and Google was 
down, RP's would not be able to discover which OP was authoritative 
for it, nor confirm that you had not changed your headers/XRD to use 
a*new* OP (since the RP's last caching). (RP's could send you to the 
cached OP while simultaneously checking with your URI hosting 
provider - the party that advertises your OP - to find out whether it 
could still trust the reply, instead of delaying either.)

>>  It's the OpenID identifier this site would *provide* that I'm
>>  thinking about,
>
>Why would a blog *provide* an OpenID identifier?

For this you have to delve back into OpenID's history, to before the 
concept of "E-mails are the One True Universal Identifier that 
everyone already understands!" took over (Facebook still kind of 
clings to that idea, I guess, since they recently went for the whole 
"vanity URL" practice), when geeks thought that everyone would 
readily take to using their personal website (brad.livejournal.com, 
or whatever) as their Identity on the web; where people go to find 
out more about you, your online "presence".

>So, if my understanding above is right, I think I understand where you're
>going. If not, then I guess I'm still lost :)

The blind leading the . . . well, I'm lost too, anyway. I don't quite 
understand what was being proposed in the thread, but it sounded like 
it might have potential, so I'm trying to figure out where it might 
go that seemed interesting.

-Shade

More information about the specs mailing list