Nice to meet you. The controversial phishing issue may be resolved by the following mechanism. With a prescribed mark embedded in a page (like RSS), a Relaying Party (RP) notifies the user and browser that they may be authenticated by OpenID. The user always types in a URI, along with his ID and password, on the same page of an OpenID Provider (OP). The URI points to a page on the RP site, and is expected to be automatically entered by implementing a login button or the like in the browser (until then, it has to be bookmarked or manually entered). The OP provides the browser with user-identifiable information (such as cookies). It also informs the RP site that the user has been authenticated, and transfers to it the ID, registered date/time, and identifiable information. Because the uniqueness of the ID may be merely guaranteed on the OP site, the ID entered by the user (local ID) may differ from that announced globally (global ID) (to cope with spam attacks). To log in, the user does not have to remember or type in his global ID. The temporal-based uniqueness of the ID can be assured by a domain owner who keeps tabs on the date and time when the user starts the authentication service. This allows for reuse of limited resources, while ensuring the singularity.
Old browser(manual): 1. User -> RP request page 2. User <- RP return page including OpenID mark 3. User -> OP request login page 4. User <- OP return login page 5. User -> OP request jump page with local ID, password, URI 6. OP -> RP notify authorization with global ID, date, cookie 7. User <- OP return jump page including cookie 8. User -> RP request customized page with cookie 9. User <- RP return customized page New browser(automatic): 1. User -> RP request page 2. User <- RP return page including OpenID mark 3. User -> OP request login page with URI 4. User <- OP return login page including URI(hidden) 5. User -> OP request jump page with local ID, password 6. OP -> RP notify authorization with global ID, date, cookie 7. User <- OP return jump page including cookie 8. User -> RP request customized page with cookie 9. User <- RP return customized page The original text was written in non-English. Mr. 159 translated it almost. His work is excellent than mine. The poor sentence is my work:-P Please forgive pooh English. Thank you. _______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
