What you would be trusting Google for is not letting anyone else
(say, Google) pose as you. That's *their* end of the authentication
stick;
This would only true if Google is my OP.
In a joint Google/Yahoo venture, it would be (so would Yahoo).
Merely allowing Google to
advertise to the world who my OP is does not give them an opportunity to
pose as me.
But that's exactly what delegation *is*; https://you.google.com/
returns an HTML page from the server containing OpenID headers that
either specify the OP directly, or point to an XRD (perhaps hosted
elsewhere) that specifies your OP - but it's still the OP for *that
page* (the URI https://you.google.com/), and evil.hacker.com can
advertise anything they want about you, but it doesn't (and shouldn't
(and mustn't)) matter a whit :)
I think there was a bit more than delegation under discussion in the
thread, though; and, despite not understanding exactly what the
differences are, I'm hoping to figure out something else it might be
useful for. (Or perhaps my inquiries will merely lead me to
understanding what the rest of you *were* discussing, and I'll be
following along a bit slowly.)
Perhaps what you're driving at is that you do not want one "point of
failure" (a single human) in one organization to be the cause for a security
breach and what you want is to have authentication go through a multi-OP
authentication procedure in order to validate a user? If so, I can think of
a way to do that without changing OpenID,
I don't think anyone has suggested changing OpenID (apart from the
very public efforts to create new working groups, etcetera), and
certainly there *have* been proposals for leveraging OpenID as it
currently exists for a multi-OP authentication procedure; see
http://wiki.openid.net/f/openid-provider-multiauth-extension-1_0-2.html
though there would still be the
single, final answer coming from some single entity. Do you want multiple
replies to go back to the RP from multiple OPs, like having 2 locks on the
front door of your home? This would force the user to essentially log in
two times in order to get authenticated.
This can be easier with non-password checks (such as smart cards). An
attacker mugs you in the street for your wallet, but doesn't get the
smart card that you only pick up from security when you come in for
work (and drop off when you leave). Of more use in the shorter term,
users can be dispatched to multiple OP's at once (there are posts in
the general archives about how to handle this from a UI perspective),
so they aren't waiting for one check to complete before starting the
next; an example login might send a user to 5 different OP's on
record for them, then accept the first 3 to return successfully.
since they are the party being delegated from as well, you
also trust them to be up (available to RP's) when you want to login
somewhere.
I would need Google to be up to advertise the location of my OP. If they
were down, though, I could still manually enter my URL-based OpenID ID. You
might be making a different point here and perhaps I'm missing it.
If you manually entered "https://you.google.com/"; and Google was
down, RP's would not be able to discover which OP was authoritative
for it, nor confirm that you had not changed your headers/XRD to use
a*new* OP (since the RP's last caching). (RP's could send you to the
cached OP while simultaneously checking with your URI hosting
provider - the party that advertises your OP - to find out whether it
could still trust the reply, instead of delaying either.)
It's the OpenID identifier this site would *provide* that I'm
thinking about,
Why would a blog *provide* an OpenID identifier?
For this you have to delve back into OpenID's history, to before the
concept of "E-mails are the One True Universal Identifier that
everyone already understands!" took over (Facebook still kind of
clings to that idea, I guess, since they recently went for the whole
"vanity URL" practice), when geeks thought that everyone would
readily take to using their personal website (brad.livejournal.com,
or whatever) as their Identity on the web; where people go to find
out more about you, your online "presence".
So, if my understanding above is right, I think I understand where you're
going. If not, then I guess I'm still lost :)
The blind leading the . . . well, I'm lost too, anyway. I don't quite
understand what was being proposed in the thread, but it sounded like
it might have potential, so I'm trying to figure out where it might
go that seemed interesting.
-Shade
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
