Proposal (was: Re: [security] browser integration?)
Dick Hardt
dick at sxip.com
Mon Apr 9 02:59:39 UTC 2007
Here is a simple way for Firefox to support OpenID and resolve OP
phishing:
Enhance the OpenID spec to include the RP supporting a <object>
element in the page vis-a-vis InfoCards. The <object> element would
contain the RP request. When seeing an OpenID <object>, Firefox would
POST the request to a pre-configured OP.
Here is a step-by-step walkthrough:
1) User browses to RP
2) RP sends page to browser with <object> element (magic happens in
how RP knows to send tag :-)
3) browser looks at <object> element, determines it is an OpenID
request, and POSTs request to OP configured by user
4) OP processes request as normal sending redirected response back to RP
5) RP verifies request (some more magic on how RP sets up association
to verify OP sent message)
Advantages:
+ as the RP is not responsible for redirecting the browser to the OP
and Firefox is sending the user to the OP directly, the OP cannot be
phished.
+ the RP has no knowledge of the OP until it
+ easy for existing OPs to support (well, there are some other
details to work out :-)
+ paves the way for OpenID RPs to support InfoCard selectors to
submit OpenID
+ pretty simple to add to browser, easy for other browsers to
support, no UX changes and given the common design pattern that IE7
supports for CardSpace today, easier for IE to support
Disadvantages:
- changes to OpenID spec, RPs, OPs
On 5-Apr-07, at 6:55 PM, Chris Messina wrote:
> On 4/5/07, Scott Kveton <scott at janrain.com> wrote:
>
>> Is anybody out there interested in working on this? I'd love to
>> get a
>> dialog going on the wiki about possible features, screen shots,
>> etc and then
>> start development on something like this. I think if we can get
>> something
>> working Mozilla is more likely to want to integrate _that_ then to
>> have to
>> figure out how to do it themselves.
>
> I would *love* to work on this.
>
> Let's do it here: http://www.socialtext.net/web2open/index.cgi?
> the_mashroom
>
> ...or at some other upcoming event...!
>
> ;)
>
> Chris
>
> --
> Chris Messina
> Citizen Provocateur &
> Open Source Ambassador-at-Large
> Work: http://citizenagency.com
> Blog: http://factoryjoe.com/blog
> Cell: 412 225-1051
> Skype: factoryjoe
> This email is: [ ] bloggable [X] ask first [ ] private
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>
More information about the user-experience
mailing list