Hi, New here. Has the shape of Firefox's OpenID support been decided yet? If not, here's an anti-phishing suggestion that should be easy to mock up with bookmarklets.
The idea is to move away from redirection and towards proactive, out-of-band login. Users would log in to their OpenID providers *before* signing in to RPs -- ideally with a single click in the browser's chrome on a page with an OpenID prompt. The browser would contact the user's OP and submit a checkid_setup request on behalf of the current page (opening a new window if necessary), autofill the OpenID URL on the RP's page, then leave it up to the user to submit the form. Once that happens, the RP would authenticate exactly as it does now -- but it should never need to redirect the user to a login screen, since the OP already knows to approve its request. It's kind of like making an extra trip to myopenid.com and clicking "allow forever." OPs could implement this right now, and use bookmarklets to make it user-friendly. They'd need to add an extra parameter to checkid_setup, which would tell the OpenID server that "approve once" should actually mean "approve on the next attempt," and that it shouldn't redirect the user. None of this requires any change to the RP; it's all between the OP and the OP's bookmarklet -- in fact, it's only worth standardizing if browsers really are going to get in the game. There would be some hacky implementation details (like identifying the "next attempt," since you don't have access to trust_root), but it should be possible to build something that works pretty well right now. - John Fraser _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
