Re: [dix] Re: Gathering requirements for in-browser OpenID support

To: Mike Glover <mpg4 at janrain.com>
Subject: Re: [dix] Re: Gathering requirements for in-browser OpenID support
From: Pete Rowley <prowley at redhat.com>
Date: Wed, 18 Oct 2006 11:49:00 -0700
Cc: Digital Identity Exchange <dix at ietf.org>, general at openid.net
In-reply-to: <20061018110159.453e322b@rabbit.janrain.com>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <4533DD00.6060501@mozilla.com> <C1592C34.AC79%scott@janrain.com> <20061018171523.GD25194@narn.hozed.org> <45366942.50307@redhat.com> <20061018110159.453e322b@rabbit.janrain.com>
Reply-to: Digital Identity Exchange <dix at ietf.org>
User-agent: Thunderbird 1.5.0.7 (X11/20060911)

Mike Glover wrote:

Pete-
Why do you have to trust the RP at all? All the RP ever sees is an assertion that you control the identity URL that you provided.

That is what the RP sees if they play along with the scheme.

 Do you see a vulnerability that I'm missing?

It is vulnerable to a man in the middle attack - the RP, instead of redirecting to the IdP redirects to itself or some other site in cahoots, then proxies the conversation between the user and the IdP thereby compromising the users (global) credentials as they pass through.

There really needs to be user-agent support to avoid that - either something CardSpace like, or browser plugin that only ever presents a pre-authenticated user.

-mike
On Wed, 18 Oct 2006 10:49:54 -0700 Pete Rowley <prowley at redhat.com> wrote: I also think it _is_ a requirement that the
browser vendors support this - right now you have to trust that the RP is a white hat.

--
Pete

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

References:
- [dix] Re: Gathering requirements for in-browser OpenID support
  - From: Troy Benjegerdes
- Re: [dix] Re: Gathering requirements for in-browser OpenID support
  - From: Pete Rowley

Prev by Date: Re: [dix] Re: Gathering requirements for in-browser OpenID support
Next by Date: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Previous by thread: Re: [dix] Re: Gathering requirements for in-browser OpenID support
Next by thread: Re[2]: [dix] Re: Gathering requirements for in-browser OpenID support
Index(es):
- Date
- Thread

Re: [dix] Re: Gathering requirements for in-browser OpenID support

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.