Building identity on top of OAuth 2.0?
SitG Admin
sysadmin at shadowsinthegarden.com
Sun May 16 21:46:11 UTC 2010
>Compare message passing diagrams and you'll realize it's just a
>semantic difference.
I've been rethinking this, yes. Users still don't have a presence in
the chain; this is just cutting out middlemen. Tossing in more
middlemen to make up for leaving out an endpoint is a decent stop-gap
measure, but doesn't substitute in the long run (and for solid
mechanisms).
>> It's nice "when people follow the rules": grand, but useless to
>>protect against malicious OP's.
>
>Are you describing a security vulnerability? What rules must be
>violated for malicious OPs to cause damage?
They pretend to be the user: only the SSL endpoint (at your OP) needs
to be cached, so it can suddenly switch to giving out a *new* profile
URL, one which *does* point back at the OP, and masquerade as you.
(RP's should be paying attention to the HTTP data, as well, if there
is any; not using it for authentication, sure, but if they look and
it doesn't report the same OP anymore, maybe the user has changed
their mind for some reason?)
>Yes, and it damn well should. Self signed certificates provide no
>form of authentication, just encryption. OpenID doesn't need the
>encryption, it needs the authentication.
Encryption is handled in-band by OAuth; got that. It's the mandatory
"identifiers over SSL", combined with browsers that warn users "don't
do this", that I'm commenting on here. It's not a stop sign, just a
warning thought - if we make it mandatory *in the spec* for users to
receive those warnings, we have to be careful that we're not relying
on being able to convince users to *ignore* those warnings (almost
certainly a bad idea, since anything we can try that *works* would
then be used by a less benevolent crowd).
>But until we have some other form of authn PKI to bootstrap from,
>you will eat X509 certs with a verifiable chain of authority to a
>known trust root and you will like it. Just like the rest of us.
I removed all my nssckbi.dll modules from all my Portable Firefox
instances over a month ago; Web of Trust helps too, as does checking
a site's cert through multiple Tor exit nodes located around the
world (MitM *that*), and none of this is even *new*:
https://blog.torproject.org/blog/life-without-ca
What's *old* is checking the certs (and their chains, to the "trusted
roots", *manually* . . . I used to be *so* inefficient when it came
to this ;D
-Shade
More information about the specs
mailing list