Here is a simple way for Firefox to support OpenID and resolve OP phishing:
Enhance the OpenID spec to include the RP supporting a <object> element in the page vis-a-vis InfoCards. The <object> element would contain the RP request. When seeing an OpenID <object>, Firefox would POST the request to a pre-configured OP. Here is a step-by-step walkthrough: 1) User browses to RP 2) RP sends page to browser with <object> element (magic happens in how RP knows to send tag :-) 3) browser looks at <object> element, determines it is an OpenID request, and POSTs request to OP configured by user 4) OP processes request as normal sending redirected response back to RP 5) RP verifies request (some more magic on how RP sets up association to verify OP sent message) Advantages: + as the RP is not responsible for redirecting the browser to the OP and Firefox is sending the user to the OP directly, the OP cannot be phished. + the RP has no knowledge of the OP until it + easy for existing OPs to support (well, there are some other details to work out :-) + paves the way for OpenID RPs to support InfoCard selectors to submit OpenID + pretty simple to add to browser, easy for other browsers to support, no UX changes and given the common design pattern that IE7 supports for CardSpace today, easier for IE to support Disadvantages: - changes to OpenID spec, RPs, OPs On 5-Apr-07, at 6:55 PM, Chris Messina wrote: > On 4/5/07, Scott Kveton <[EMAIL PROTECTED]> wrote: > >> Is anybody out there interested in working on this? I'd love to >> get a >> dialog going on the wiki about possible features, screen shots, >> etc and then >> start development on something like this. I think if we can get >> something >> working Mozilla is more likely to want to integrate _that_ then to >> have to >> figure out how to do it themselves. > > I would *love* to work on this. > > Let's do it here: http://www.socialtext.net/web2open/index.cgi? > the_mashroom > > ...or at some other upcoming event...! > > ;) > > Chris > > -- > Chris Messina > Citizen Provocateur & > Open Source Ambassador-at-Large > Work: http://citizenagency.com > Blog: http://factoryjoe.com/blog > Cell: 412 225-1051 > Skype: factoryjoe > This email is: [ ] bloggable [X] ask first [ ] private > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security > > _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
