Proposal (was: Re: [security] browser integration?)

Dick Hardt dick at sxip.com
Mon Apr 9 02:59:39 UTC 2007


Here is a simple way for Firefox to support OpenID and resolve OP  
phishing:

Enhance the OpenID spec to include the RP supporting a <object>  
element in the page vis-a-vis InfoCards. The <object> element would  
contain the RP request. When seeing an OpenID <object>, Firefox would  
POST the request to a pre-configured OP.

Here is a step-by-step walkthrough:

1) User browses to RP
2) RP sends page to browser with <object> element (magic happens in  
how RP knows to send tag :-)
3) browser looks at <object> element, determines it is an OpenID  
request, and POSTs request to OP configured by user
4) OP processes request as normal sending redirected response back to RP
5) RP verifies request (some more magic on how RP sets up association  
to verify OP sent message)

Advantages:

+ as the RP is not responsible for redirecting the browser to the OP  
and Firefox is sending the user to the OP directly, the OP cannot be  
phished.

+ the RP has no knowledge of the OP until it

+ easy for existing OPs to support (well, there are some other  
details to work out :-)

+ paves the way for OpenID RPs to support InfoCard selectors to  
submit OpenID

+ pretty simple to add to browser, easy for other browsers to  
support, no UX changes and given the common design pattern that IE7  
supports for CardSpace today, easier for IE to support

Disadvantages:

- changes to OpenID spec, RPs, OPs


On 5-Apr-07, at 6:55 PM, Chris Messina wrote:

> On 4/5/07, Scott Kveton <scott at janrain.com> wrote:
>
>> Is anybody out there interested in working on this?  I'd love to  
>> get a
>> dialog going on the wiki about possible features, screen shots,  
>> etc and then
>> start development on something like this.  I think if we can get  
>> something
>> working Mozilla is more likely to want to integrate _that_ then to  
>> have to
>> figure out how to do it themselves.
>
> I would *love* to work on this.
>
> Let's do it here: http://www.socialtext.net/web2open/index.cgi? 
> the_mashroom
>
> ...or at some other upcoming event...!
>
> ;)
>
> Chris
>
> -- 
> Chris Messina
> Citizen Provocateur &
>   Open Source Ambassador-at-Large
> Work: http://citizenagency.com
> Blog: http://factoryjoe.com/blog
> Cell: 412 225-1051
> Skype: factoryjoe
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> _______________________________________________
> security mailing list
> security at openid.net
> http://openid.net/mailman/listinfo/security
>
>




More information about the user-experience mailing list