OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
On 19 Jan 2007, at 14:19, Ben Laurie wrote: > Still totally unhappy about the phishing issues, which I blogged > about here: > > http://www.links.org/?p=187 I have a proposal which I think could greatly reduce the risk of phishing: identity providers should /never/ display their login form (or a link to the form) on a page that has been redirected to by an OpenID consumer. Instead, they should instruct the user to navigate to the login page themselves. The login page should have a short, memorable URL and users should be encouraged to bookmark it themselves when they sign up for the provider. The OpenID "landing page" then becomes an opportunity to help protect users against phishing rather than just being a vector for the attack. I've fleshed this out on my blog: http://simonwillison.net/2007/Jan/19/phishing/ Does that sound workable? Cheers, Simon ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [security] [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
2007/1/22, Ben Laurie <[EMAIL PROTECTED]>: > Actually, it appears to allow the RP to tell the OP what kind of > authentication was used, which is backwards. > > It also seems to be rather lacking in meat. Still, a step in the right > direction. > I asked this question some time ago: is there any possibility for RP to ask OP to use some authentication method? Or another scenario: how can user select one of OP's for this particular authentication from his Yadis file. regards, Marcin ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > > > > Security Profiles" you have a profile where the RP states what kind of > > > > > End User/OP authentication is acceptable to it. Sites with low/zero > > > > > value attached to the login can accept any kind of EU/OP auth, whereas > > > > > high value sites can require "unphishable" auth. > > > > > > > > I like the sound of this proposal, but I don't see how the RP could > > > > know whether the OP is actually using "unphishable" authentication > > > > when that kind of authentication is requested. Is it necessary for the > > > > RP to be able to tell for sure, and if so, how could it tell? > > > > > > No, I don't think it is necessary. If users want to trust their > > > identity to OPs that lie, that's their decision. > > > > In that case, I think this could just be part of the "Assertion > > Quality Extension." [1] I haven't been involved in that specification > > at all, but my understanding is that it provides a way of expressing > > what kind of authentication the RP would like to have when a request > > is made to the OP. > > Actually, it appears to allow the RP to tell the OP what kind of > authentication was used, which is backwards. Sorry, I mean the OP to tell the RP! > > It also seems to be rather lacking in meat. Still, a step in the right > direction. > > > > > Josh > > > > 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html > > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > > > Security Profiles" you have a profile where the RP states what kind of > > > > End User/OP authentication is acceptable to it. Sites with low/zero > > > > value attached to the login can accept any kind of EU/OP auth, whereas > > > > high value sites can require "unphishable" auth. > > > > > > I like the sound of this proposal, but I don't see how the RP could > > > know whether the OP is actually using "unphishable" authentication > > > when that kind of authentication is requested. Is it necessary for the > > > RP to be able to tell for sure, and if so, how could it tell? > > > > No, I don't think it is necessary. If users want to trust their > > identity to OPs that lie, that's their decision. > > In that case, I think this could just be part of the "Assertion > Quality Extension." [1] I haven't been involved in that specification > at all, but my understanding is that it provides a way of expressing > what kind of authentication the RP would like to have when a request > is made to the OP. Actually, it appears to allow the RP to tell the OP what kind of authentication was used, which is backwards. It also seems to be rather lacking in meat. Still, a step in the right direction. > > Josh > > 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > > Security Profiles" you have a profile where the RP states what kind of > > > End User/OP authentication is acceptable to it. Sites with low/zero > > > value attached to the login can accept any kind of EU/OP auth, whereas > > > high value sites can require "unphishable" auth. > > > > I like the sound of this proposal, but I don't see how the RP could > > know whether the OP is actually using "unphishable" authentication > > when that kind of authentication is requested. Is it necessary for the > > RP to be able to tell for sure, and if so, how could it tell? > > No, I don't think it is necessary. If users want to trust their > identity to OPs that lie, that's their decision. In that case, I think this could just be part of the "Assertion Quality Extension." [1] I haven't been involved in that specification at all, but my understanding is that it provides a way of expressing what kind of authentication the RP would like to have when a request is made to the OP. Josh 1. http://openid.net/specs/openid-assertion-quality-extension-1_0-01.html ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/22/07, Josh Hoyt <[EMAIL PROTECTED]> wrote: > Ben, > > On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > > OK, the idea is pretty simple. Rather like the "OpenID Authentication > > Security Profiles" you have a profile where the RP states what kind of > > End User/OP authentication is acceptable to it. Sites with low/zero > > value attached to the login can accept any kind of EU/OP auth, whereas > > high value sites can require "unphishable" auth. > > I like the sound of this proposal, but I don't see how the RP could > know whether the OP is actually using "unphishable" authentication > when that kind of authentication is requested. Is it necessary for the > RP to be able to tell for sure, and if so, how could it tell? No, I don't think it is necessary. If users want to trust their identity to OPs that lie, that's their decision. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Ben, On 1/22/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > OK, the idea is pretty simple. Rather like the "OpenID Authentication > Security Profiles" you have a profile where the RP states what kind of > End User/OP authentication is acceptable to it. Sites with low/zero > value attached to the login can accept any kind of EU/OP auth, whereas > high value sites can require "unphishable" auth. I like the sound of this proposal, but I don't see how the RP could know whether the OP is actually using "unphishable" authentication when that kind of authentication is requested. Is it necessary for the RP to be able to tell for sure, and if so, how could it tell? Josh ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/21/07, Ben Laurie <[EMAIL PROTECTED]> wrote: > On 1/19/07, Dick Hardt <[EMAIL PROTECTED]> wrote: > > > > On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: > > > > > > > > Still totally unhappy about the phishing issues, which I blogged > > > about here: > > > > > > http://www.links.org/?p=187 > > > > There are numerous ways of solving this. Several standard methods can > > solve it. It is a relationship between the user and the OP and the RP > > is not party, so I don't think it belongs in the OpenID > > Authentication specification. > > > > That does not mean it is not important, just that *this* spec is not > > the right place. > > I think that's entirely wrong. The RP doesn't care at all about the OP > - all the RP cares about is the end user. > > More importantly, I think I have a solution that will make both of us > happy, but I now have to go and ride my motorbike fast, so I'll detail > it later. OK, the idea is pretty simple. Rather like the "OpenID Authentication Security Profiles" you have a profile where the RP states what kind of End User/OP authentication is acceptable to it. Sites with low/zero value attached to the login can accept any kind of EU/OP auth, whereas high value sites can require "unphishable" auth. Obviously some serious work is needed to flesh out this proposal, but it seems to me it allows OpenID to stay lightweight (and phishable) where appropriate, but also to serve a useful purpose for high-value applications. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/19/07, Dick Hardt <[EMAIL PROTECTED]> wrote: > > On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: > > > > > Still totally unhappy about the phishing issues, which I blogged > > about here: > > > > http://www.links.org/?p=187 > > There are numerous ways of solving this. Several standard methods can > solve it. It is a relationship between the user and the OP and the RP > is not party, so I don't think it belongs in the OpenID > Authentication specification. > > That does not mean it is not important, just that *this* spec is not > the right place. I think that's entirely wrong. The RP doesn't care at all about the OP - all the RP cares about is the end user. More importantly, I think I have a solution that will make both of us happy, but I now have to go and ride my motorbike fast, so I'll detail it later. ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 19-Jan-07, at 6:19 AM, Ben Laurie wrote: > > Still totally unhappy about the phishing issues, which I blogged > about here: > > http://www.links.org/?p=187 There are numerous ways of solving this. Several standard methods can solve it. It is a relationship between the user and the OP and the RP is not party, so I don't think it belongs in the OpenID Authentication specification. That does not mean it is not important, just that *this* spec is not the right place. -- Dick ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: [OpenID] Announcing OpenID Authentication 2.0 - Implementor's Draft 11
On 1/19/07, Recordon, David <[EMAIL PROTECTED]> wrote: > So with great pleasure I get to announce the culmination of about nine > months of work between the OpenID, XRI, Sxip, and LID communities in the > drafting of OpenID Authentication 2.0. This evening the editors have > published the final draft of the spec, which we now feel is in a solid > state for public implementations. > > There are already implementations in various languages > (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, > http://code.google.com/p/openid4java/, > http://code.google.com/p/openid4perl/) supporting this spec and more > will emerge over the next few weeks. > > There will be another draft of the spec before it is considered final, > though unless unforeseen implementation problems emerge these changes > will be further wordsmithing and cleanup. > > http://openid.net/specs/openid-authentication-2_0-11.html (dated today) > > Cool? Cool! Still totally unhappy about the phishing issues, which I blogged about here: http://www.links.org/?p=187 > > --David > ___ > general mailing list > [EMAIL PROTECTED] > http://openid.net/mailman/listinfo/general > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
RE: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
I'm not sure what the right process is, though my hunch is that we'll know the time is right once there are multiple working OpenID Auth 2.0 RPs and OPs on the web from different vendors that people are at least testing with. Until code that implements the spec exists in the wild, I doubt we can really ultimately call it "final". That's just my take on it though... --David -Original Message- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 11:38 PM To: heraldry-dev@incubator.apache.org Cc: openid-general; specs@openid.net Subject: Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11 David A couple questions: 1) Would you like to set a deadline for final comments? Perhaps a week? 2) What is the approval process now? Is it still as posted at: http://openid.net/specs.bml "Currently, the collective authors of OpenID Authentication (David Recordon, Josh Hoyt, Dick Hardt, and Brad Fitzpatrick) oversee this process and make the final determination of when a proposal has matured." -- Dick On 18-Jan-07, at 7:35 PM, Recordon, David wrote: > So with great pleasure I get to announce the culmination of about nine > months of work between the OpenID, XRI, Sxip, and LID communities in > the drafting of OpenID Authentication 2.0. This evening the editors > have published the final draft of the spec, which we now feel is in a > solid state for public implementations. > > There are already implementations in various languages > (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, > http://code.google.com/p/openid4java/, > http://code.google.com/p/openid4perl/) supporting this spec and more > will emerge over the next few weeks. > > There will be another draft of the spec before it is considered final, > though unless unforeseen implementation problems emerge these changes > will be further wordsmithing and cleanup. > > http://openid.net/specs/openid-authentication-2_0-11.html (dated > today) > > Cool? Cool! > > --David > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Hi Daniel The OpenID4java code is up to date to DRAFT 11, and also has support for the OpenID Attribute Exchange draft. (Sxip volunteered to build the OpenID Java libraries, and our preference was to use code.google.com for the repository) -- Dick On 18-Jan-07, at 11:52 PM, Daniel E. Renfer wrote: > I'm a little confused. You list Heraldry as being OpenID Auth 2.0 > enabled, but looking at the SVN logs it seems like only the python > library has been seeing activity. (And all of that in a flood of > commits) > > Is there any word on when we will see the rest of the libraries > brought up to spec? I'm looking for Java support in particular. Will > there be many major changes upgrading from the current code to the > Auth2.0 code? > > I want to code my site (still in private development) to be 2.0 > friendly from the get go, but I'm not sure if I should be using the > openid4java code or wait for Heraldry to be updated. > > -- > Daniel E. Renfer > http://kronkltd.net/ > > > On 1/18/07, Recordon, David <[EMAIL PROTECTED]> wrote: >> So with great pleasure I get to announce the culmination of about >> nine >> months of work between the OpenID, XRI, Sxip, and LID communities >> in the >> drafting of OpenID Authentication 2.0. This evening the editors have >> published the final draft of the spec, which we now feel is in a >> solid >> state for public implementations. >> >> There are already implementations in various languages >> (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, >> http://code.google.com/p/openid4java/, >> http://code.google.com/p/openid4perl/) supporting this spec and more >> will emerge over the next few weeks. >> >> There will be another draft of the spec before it is considered >> final, >> though unless unforeseen implementation problems emerge these changes >> will be further wordsmithing and cleanup. >> >> http://openid.net/specs/openid-authentication-2_0-11.html (dated >> today) >> >> Cool? Cool! >> >> --David >> > ___ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
I'm a little confused. You list Heraldry as being OpenID Auth 2.0 enabled, but looking at the SVN logs it seems like only the python library has been seeing activity. (And all of that in a flood of commits) Is there any word on when we will see the rest of the libraries brought up to spec? I'm looking for Java support in particular. Will there be many major changes upgrading from the current code to the Auth2.0 code? I want to code my site (still in private development) to be 2.0 friendly from the get go, but I'm not sure if I should be using the openid4java code or wait for Heraldry to be updated. -- Daniel E. Renfer http://kronkltd.net/ On 1/18/07, Recordon, David <[EMAIL PROTECTED]> wrote: > So with great pleasure I get to announce the culmination of about nine > months of work between the OpenID, XRI, Sxip, and LID communities in the > drafting of OpenID Authentication 2.0. This evening the editors have > published the final draft of the spec, which we now feel is in a solid > state for public implementations. > > There are already implementations in various languages > (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, > http://code.google.com/p/openid4java/, > http://code.google.com/p/openid4perl/) supporting this spec and more > will emerge over the next few weeks. > > There will be another draft of the spec before it is considered final, > though unless unforeseen implementation problems emerge these changes > will be further wordsmithing and cleanup. > > http://openid.net/specs/openid-authentication-2_0-11.html (dated today) > > Cool? Cool! > > --David > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
David A couple questions: 1) Would you like to set a deadline for final comments? Perhaps a week? 2) What is the approval process now? Is it still as posted at: http://openid.net/specs.bml "Currently, the collective authors of OpenID Authentication (David Recordon, Josh Hoyt, Dick Hardt, and Brad Fitzpatrick) oversee this process and make the final determination of when a proposal has matured." -- Dick On 18-Jan-07, at 7:35 PM, Recordon, David wrote: > So with great pleasure I get to announce the culmination of about nine > months of work between the OpenID, XRI, Sxip, and LID communities > in the > drafting of OpenID Authentication 2.0. This evening the editors have > published the final draft of the spec, which we now feel is in a solid > state for public implementations. > > There are already implementations in various languages > (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, > http://code.google.com/p/openid4java/, > http://code.google.com/p/openid4perl/) supporting this spec and more > will emerge over the next few weeks. > > There will be another draft of the spec before it is considered final, > though unless unforeseen implementation problems emerge these changes > will be further wordsmithing and cleanup. > > http://openid.net/specs/openid-authentication-2_0-11.html (dated > today) > > Cool? Cool! > > --David > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Re: Announcing OpenID Authentication 2.0 - Implementor's Draft 11
Great job David, Johnny and Josh! -- Dick On 18-Jan-07, at 7:35 PM, Recordon, David wrote: > So with great pleasure I get to announce the culmination of about nine > months of work between the OpenID, XRI, Sxip, and LID communities > in the > drafting of OpenID Authentication 2.0. This evening the editors have > published the final draft of the spec, which we now feel is in a solid > state for public implementations. > > There are already implementations in various languages > (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, > http://code.google.com/p/openid4java/, > http://code.google.com/p/openid4perl/) supporting this spec and more > will emerge over the next few weeks. > > There will be another draft of the spec before it is considered final, > though unless unforeseen implementation problems emerge these changes > will be further wordsmithing and cleanup. > > http://openid.net/specs/openid-authentication-2_0-11.html (dated > today) > > Cool? Cool! > > --David > > ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
Announcing OpenID Authentication 2.0 - Implementor's Draft 11
So with great pleasure I get to announce the culmination of about nine months of work between the OpenID, XRI, Sxip, and LID communities in the drafting of OpenID Authentication 2.0. This evening the editors have published the final draft of the spec, which we now feel is in a solid state for public implementations. There are already implementations in various languages (http://svn.apache.org/repos/asf/incubator/heraldry/libraries/, http://code.google.com/p/openid4java/, http://code.google.com/p/openid4perl/) supporting this spec and more will emerge over the next few weeks. There will be another draft of the spec before it is considered final, though unless unforeseen implementation problems emerge these changes will be further wordsmithing and cleanup. http://openid.net/specs/openid-authentication-2_0-11.html (dated today) Cool? Cool! --David ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs