On 10/04/2008, Brad Fitzpatrick <[EMAIL PROTECTED]> wrote:
> On Thu, Apr 10, 2008 at 12:40 AM, James Henstridge <[EMAIL PROTECTED]>
> wrote:
> >
> > On 10/04/2008, Vinay Gupta <[EMAIL PROTECTED]> wrote:
> > > I think that kind of misses the point. The *namespace* that google
> manages
> > > is now open for business as an OpenID provider. It's an unanticipated
> > > side-effect of the APIs.
> > >
> > > I think it's kind of a big deal, actually, in terms of how OpenID is
> right
> > > from an engineering perspective and how it can spread in unexpected
> ways. If
> > > only login were so easy.
> >
> > This service seems pretty much equivalent to Simon Willison's
> > idproxy.net service for Yahoo accounts.
> >
> > The big difference between this sort of service and actial OpenID
> > Provider support from Google/Yahoo is a matter of trust.
> >
> > With an OP run by Google, the user needs to trust Google.  With this
> > OP, the user needs to trust whoever is running the OP not to
> > impersonate them.  Given the lack of contact information, I'd be
> > hesitant to use identities managed by that service and would not
> > recommend others rely on it.
> James,
> openid-provider.appspot.com was written by a Google engineer, Ryan Barrett,
> who also did most the work (including all the initial work) on Blogger's
> OpenID support:
> References:
> http://appgallery.appspot.com/about_app?app_id=agphcHBnYWxsZXJ5chMLEgxBcHBsaWNhdGlvbnMYrwIM
> http://snarfed.org/space/2008-04-07_google_app_engine_launched
> http://snarfed.org/space/2007-12-02_openid_comments_in_blogger

Okay.  It wasn't clear who was running the service just by looking at
the URL originally posted.

> Further, App Engine apps don't process user credentials directly.  They go
> through an OpenID-like auth process with Google, who actually processes the
> email/password and tells the App Engine app that somebody logged in, at what
> email.  You can verify this yourself by looking at the form targets and HTTP
> traffic.  See:
> http://code.google.com/appengine/docs/users/
> So I'd say you can pretty much trust an openid-provider.a.com assertion that
> the person has a Google account.   But like others have said, it's not an
> official Google product.

I realise that Google's authsub service doesn't reveal a user's email
+ password to the relying site (in this case
openid-provider.appspot.com).  If you are using an OpenID provider
that I control, you are trusting me not to add a backdoor that lets me
authenticate to RPs as your identity URL.  And given the way OpenID
works, I'd have a pretty good idea of which RPs to go after.

Based on the info in the links you provided it is probably safe to
trust the site not to do these things, but it is not clear from the
information on that site alone.

specs mailing list

Reply via email to