(2010/01/28 16:21), Allen Tom wrote:
Hi all -
Before I get started -- I agree that in an ideal world, we'd have full
end to end SSL, old browsers would be banned, and we'd POST data.
However, requiring RPs to support SSL isn't going to help adoption and
is deal breaker for most applications that want to use OpenID today.
Encouraging RPs to use SSL is a great idea -- but it should not be
required.
Although most browsers can support URLs > 2KB, some proxy servers
choke on URLs > 2KB. This is not fun to debug.
I add one more thing here: Many mobile browsers choke.
In practice, enforcing the nonce only gives the illusion of additional
security. If there's a MITM, instead of replaying (or pre-playing) the
assertion, the attacker will just steal the browser cookies instead.
Assertions should have a limited lifetime -- but this can be enforced
by checking the timestamp and allowing for a narrow replay window.
POST is technically the ideal solution, but results in a degraded UX.
The proprietary market leaders have set the bar very high and we need
to offer an open alternative that is just as good, if not better. We
really aren't going to get anywhere with a clunky UX. POST adds
additional latency, and can cause strange warnings and a blank
interstitial (the self submitting form).
I really would like to be able to return an assertion using AX with a
lot of attributes, and Hybrid that can fit within the 2KB limit. This
is needed just to reach parity with the proprietary stuff.
Artifact Binding :-) Our implementation is returning (for the experiment
purpose) assertion that is well over 5MB with AX.
=nat
Allen
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
--
Nat Sakimura ([email protected])
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
